snort2-docker/docker/etc/rules/file-multimedia.rules
2020-02-24 08:56:30 -05:00

417 lines
210 KiB
Plaintext

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-----------------------
# FILE-MULTIMEDIA RULES
#-----------------------
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt"; flow:to_client,established; flowbits:isset,file.pls; file_data; content:"[playlist]"; depth:10; nocase; isdataat:1000; content:"File"; distance:0; pcre:"/^\d+\x3Dhttps?\x3a\x2f\x2f[^\n\r]{1000}/Ri"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2005-0043; classtype:attempted-user; sid:26724; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple iTunes playlist overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u|file.pls; file_data; content:"http"; offset:7; nocase; content:"://"; within:4; isdataat:550,relative; content:!"|0D|"; within:1000; content:!"|0A|"; within:1000; metadata:policy max-detect-ips drop, service smtp; reference:cve,2005-0043; classtype:attempted-user; sid:26667; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime Movie file clipping region handling heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"clip"; content:"crgn"; within:4; distance:4; byte_jump:4,-8,relative,big; content:!"|7F FF 7F FF|"; within:4; distance:-8; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35167; reference:cve,2009-0954; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:26564; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"|00 11 02 FF 0C 00|"; depth:6; offset:522; pcre:"/\x00[\x70-\x77]\x00[\x00-\x09]/R"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:26472; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Cool Player Plus M3U buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"|8A 1D F3 77|"; offset:220; metadata:service smtp; reference:url,1337day.com/exploit/20242; classtype:attempted-user; sid:26318; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Cool Player Plus M3U buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"|8A 1D F3 77|"; offset:220; metadata:service ftp-data, service http, service imap, service pop3; reference:url,1337day.com/exploit/20242; classtype:attempted-user; sid:26317; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"C|3A 5C|"; depth:3; isdataat:1024,relative; content:!"|0D 0A|"; within:1024; content:!".mp3|0D 0A|"; within:1024; metadata:service smtp; reference:bugtraq,50859; reference:cve,2011-5170; classtype:attempted-admin; sid:26243; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"C|3A 5C|"; depth:3; isdataat:1024,relative; content:!"|0D 0A|"; within:1024; content:!".mp3|0D 0A|"; within:1024; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50859; reference:cve,2011-5170; classtype:attempted-admin; sid:26242; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime Obji Atom parsing stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"obji"; byte_test:4,<,20,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,28583; reference:cve,2008-1022; classtype:attempted-user; sid:26109; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xspf; file_data; content:"<trackList>"; nocase; content:"<track>"; within:200; nocase; content:"<identifier>-"; within:1000; nocase; content:"</track>"; within:1000; nocase; content:"</trackList>"; within:200; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-4558; classtype:attempted-user; sid:25797; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow MPEG heap overflow attempt"; flow:to_server,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01 B3|AAAAAA|BA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-011; classtype:attempted-user; sid:25796; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow MPEG heap overflow attempt"; flow:to_client,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01 B3|AAAAAA|BA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-011; classtype:attempted-user; sid:25795; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft GDI EMF malformed file buffer overflow attempt"; flow:to_client,established; file_data; content:" EMF"; depth:4; offset:40; content:"|46 00 00 00|"; byte_extract:4,4,size,relative,little; content:"EMF+"; within:4; content:"|00 00 C0 FF|"; within:size; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3012; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-052; classtype:attempted-user; sid:25502; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Mozilla products Ogg Vorbis decoding memory corruption attempt"; flow:to_server,established; flowbits:isset,file.ogg; file_data; content:"|0A 42 64 86 A8 CA 34 3C 04 87 07 97 00 11 71 15|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,51753; reference:cve,2012-0444; classtype:attempted-user; sid:25298; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA AVI file chunk length integer overflow attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"AVI LIST"; depth:8; offset:8; content:"hdrlavih"; within:8; distance:4; content:"INFO"; distance:0; byte_extract:4,4,chunk_size,relative,little; isdataat:!chunk_size; metadata:service smtp; reference:cve,2011-3834; reference:url,forums.winamp.com/showthread.php?t=332010; classtype:attempted-user; sid:24955; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt"; flow:to_server,established; file_data; content:"{QTtext}"; depth:8; pcre:"/\x7b[^\x3a\x7d]+?\x3a[^\x7d]{1023}/"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0664; classtype:attempted-user; sid:24699; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime&file.swf; file_data; content:"moov"; content:"vide"; distance:0; content:"stsd"; distance:0; content:"avc"; distance:0; content:"|FF E1|"; within:128; byte_test:2,>,256,0,relative; byte_test:2,>,256,21,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-2140; reference:url,adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:24672; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime movie buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.mp4|file.m4v; content:"moov"; nocase; content:"trak"; distance:0; nocase; content:"mdia"; distance:0; nocase; content:"minf"; distance:0; nocase; content:"stbl"; distance:0; nocase; content:"stsd"; distance:0; nocase; content:"avc1"; distance:0; nocase; content:"avcC"; distance:0; nocase; content:"|FF E1|"; within:2; distance:4; byte_test:2,>=,0x8000,0,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-4381; reference:url,support.apple.com/kb/TA24355; classtype:attempted-user; sid:24641; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime MOV Atom length buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"hspa"; content:"vrsg"; distance:0; byte_test:2,>,0x7000,14,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0667; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:24550; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC webm memory corruption attempt"; flow:to_server,established; flowbits:isset,file.webm; file_data; content:"|1A 45 DF A3|"; depth:4; content:"webm"; within:4; distance:27; nocase; content:"|15 49 A9 66 01 00 00 00|"; distance:0; byte_test:4,>,1024,0,relative; metadata:service smtp; reference:bugtraq,46060; reference:cve,2011-0531; reference:url,videolan.org/security/sa1102.html; classtype:attempted-user; sid:24283; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime streaming debug error logging buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.smil; file_data; content:"<smil"; fast_pattern:only; content:"src"; nocase; isdataat:449,relative; pcre:"/^\s*\=\s*(?![\x22\x27]?http(|s|1|s1)\x3a\x2f{2})(\x22[^\x22]{449}|\x27[^\x27]{449}|\S{449})/iR"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,41962; reference:cve,2010-1799; classtype:attempted-user; sid:24220; rev:5;)
# alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Visual Basic 6.0 malformed AVI buffer overflow attempt"; flow:to_client,established; content:"RIFF"; depth:100; content:"AVI "; within:4; distance:4; content:"strf"; byte_test:4,>,1088,0,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-4255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:23943; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime VR Track Header Atom heap corruption attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"trak"; content:"tkhd|00 00 00 0F|"; within:8; distance:4; fast_pattern; isdataat:40,relative; pcre:"/trak.{4}tkhd.{40}(?=.{20})(?!\x00\x01\x00\x00.{12}\x00\x01\x00\x00)/s"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33384; reference:cve,2009-0002; reference:url,support.apple.com/kb/HT3403; classtype:attempted-user; sid:23623; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"#EXTINF"; depth:7; pcre:"/^\x23EXTINF.{5}[^\x0d\x0a]{512}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53933; reference:cve,2012-0677; classtype:attempted-user; sid:23588; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"#EXTM3U"; depth:7; pcre:"/^\x23EXTM3U.{5}[^\x0d\x0a]{512}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53933; reference:cve,2012-0677; classtype:attempted-user; sid:23587; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; byte_test:1,>,0xBF,0,relative; byte_test:1,<,0xF0,0,relative; byte_jump:2,1,relative,post_offset -4; content:"|FF FF FF FF|"; within:4; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0659; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:23581; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|06 AF E1 00 EC 7B D1 11 A5 82 00 C0 4F C2 9C FB|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23576; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"N|B8 98|f|FA 0A|0C|AE B2 1C 0A 98 D7 A4|M"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23575; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media pixel aspect ratio header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"T|E5 1E 1B EA F9 C8|K|82 1A|7kt|E4 C4 B8|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23574; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media content type header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:" |DC 90 D5 BC 07|lC|9C F7 F3 BB FB F1 A4 DC|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23573; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media file name header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|0E EC|e|E1 ED 19 D7|E|B4 A7|%|CB D1 E2 8E 9B|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23572; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media Timecode header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|EC 95 95|9g|86|-N|8F DB 98 81|L|E7|l|1E|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23571; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media sample duration header RCE attempt"; flow:to_server,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"P|94 BD C6 7F 86 07|I|83 A3 C7|y!|B7|3|AD|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:23570; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile truncated media file processing memory corruption attempt"; flow:to_server,established,only_stream; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST"; within:8; distance:4; content:"hdrlavih8|00 00 00|"; within:12; distance:4; isdataat:!56,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:23569; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile media file processing memory corruption attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST"; within:8; distance:4; content:"hdrlavih"; within:8; distance:4; byte_test:4,!=,56,0,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:23568; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows AVI Header insufficient data corruption attempt"; flow:to_server,established; flowbits:isset,file.avi; file_data; content:"RIFF"; fast_pattern; content:"AVI "; within:4; distance:4; content:"avih"; distance:0; byte_extract:4,0,chunk_size,little,relative; isdataat:!chunk_size,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35967; reference:cve,2009-1545; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-038; classtype:attempted-user; sid:23567; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows AVI DirectShow QuickTime parsing overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"vide"; distance:0; content:"stsd"; distance:0; fast_pattern; byte_test:1,>,31,58,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35139; reference:cve,2009-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-028; classtype:attempted-user; sid:23565; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Oracle Java MixerSequencer RMF MIDI structure handling exploit attempt"; flow:established,to_client; flowbits:isset,file.rmf; file_data; content:"IREZ"; depth:4; fast_pattern; content:"MThd"; distance:0; content:"MTrk"; distance:0; content:"|00 B0|"; within:6; distance:4; content:"|00|"; within:1; distance:1; metadata:service http; reference:bugtraq,39077; reference:cve,2010-0842; reference:cve,2011-3545; classtype:attempted-user; sid:23490; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"#EXTINF"; depth:7; pcre:"/^\x23EXTINF.{5}[^\x0d\x0a]{512}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53933; reference:cve,2012-0677; classtype:attempted-user; sid:23272; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA HT-MP3Player file parsing boundary buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.ht3; content:"|E9 EF EF FF FF 6C 40 00|"; depth:8; offset:4108; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,43811; reference:cve,2009-2485; classtype:attempted-user; sid:21805; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"str"; nocase; pcre:"/^[ndfhl]/smiR"; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21775; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"JUNK"; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21774; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"LIST"; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21773; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"hdr1"; nocase; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21772; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"avih"; nocase; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21771; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"movi"; nocase; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:21770; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA MicroP mppl stack buffer overflow"; flow:to_client,established; flowbits:isset,file.mppl; file_data; isdataat:1276; content:"|B5 45 01 10|"; depth:1280; metadata:service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:21397; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Magix Musik Maker 16 buffer overflow attempt"; flow:to_client,established; file_data; content:"|5D C6 9F 2E C2 53 02 20 04 80 FA 1F 12 3A FF 1F FF FF FF FF|"; fast_pattern; content:"|33 C0 64 8B 40 30 83 C0 48 83 C0 48 8B 10 83 C2 4C 83 C2 4C 8B 12|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:21393; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA AVI file chunk length integer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"AVI LIST"; depth:8; offset:8; content:"hdrlavih"; within:8; distance:4; content:"INFO"; distance:0; byte_extract:4,4,chunk_size,relative,little; isdataat:!chunk_size; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-3834; reference:url,forums.winamp.com/showthread.php?t=332010; classtype:attempted-user; sid:21168; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA MJM Quickplayer s3m buffer overflow"; flow:to_client,established; flowbits:isset,file.s3m; file_data; content:"|42 42 42 42 42 42 42 42 41 41 41 41 41 41 41 41|"; depth:16; isdataat:1091,relative; content:"|6F 15 00 10|"; within:4; distance:1092; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:21107; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA A-PDF Wav to mp3 converter buffer overfow"; flow:to_client,established; flowbits:isset,file.wav; file_data; isdataat:4136; content:"|5C 26 47 00|"; depth:8; offset:4132; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:21093; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp player mp4 memory corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stco"; nocase; content:"|00 00 5A 44 43 42 41 41 41 41 41 41 31 C9 83 E9 B8 D9 EE D9 74 24 F4 5B 81 73 13 90 FA 88 B7 83|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,23723; reference:cve,2007-2498; classtype:attempted-user; sid:21091; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp player mp4 memory corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stco"; nocase; content:"|00 00 5A 44 43 42 41 41 41 41 41 41 31 C9 83 E9 DD D9 EE D9 74 24 F4 5B 81 73 13 D8 19 25 C7 83|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,23723; reference:cve,2007-2498; classtype:attempted-user; sid:21090; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow GraphEdt closed captioning memory corruption"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|52 49 46 46 F8 C1 4E 0E 41 56 49 20 4C 49 53 54 90 7C 01 00 68 64 72 6C 61 76 69 68 38 00 00 00 56 82 00 00 5D FA 4C 01 00 02 00 00 10 08 00 00|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0004; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-004; classtype:attempted-user; sid:21078; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-MULTIMEDIA invalid VLC media player SMB URI download attempt"; flow:to_client,established; flowbits:isset,file.xspf; file_data; content:"|3C|location|3E|"; nocase; pcre:"/smb\x3A\x2F\x2F[^\x2F]*\x2f[^\x2e\x3c]{12,}[\x2f\x3c\s]/Ri"; reference:url,www.exploit-db.com/exploits/10333/; classtype:misc-attack; sid:20673; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player ASX file ref href buffer overflow attempt"; flow:to_server,established; file_data; content:"<ref"; nocase; content:"href"; distance:0; nocase; pcre:"/<ref\s+href\s*=\s*\x22([^\x22]{2}|(\x25[0-9A-Z]{2}){1,2})\x3A\x2F[^\x22]{100}/smi"; metadata:service smtp; reference:bugtraq,21247; reference:cve,2006-6134; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-078; classtype:attempted-user; sid:20653; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp MIDI file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mid; file_data; content:"CTMF"; depth:4; byte_test:2,>,0x400,8,little; metadata:service ftp-data, service http, service imap, service pop3; reference:url,forums.winamp.com/showthread.php?t=332010; classtype:attempted-user; sid:20559; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Un4seen Developments XMPlay crafted ASX file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"#EXTM3U"; nocase; content:"#EXTINF|3A|0|2C|"; distance:0; nocase; content:"|0D 0A|"; distance:0; content:"|3A 5C|"; within:2; distance:1; nocase; isdataat:501,relative; pcre:"/^\S{501}/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,21206; reference:cve,2006-6063; classtype:attempted-user; sid:20553; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA MultiMedia Jukebox playlist file handling heap overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u|file.pls; file_data; content:"http|3A 2F 2F|"; isdataat:262,relative; content:!"|0A|"; within:262; content:!" "; within:259; distance:3; metadata:service smtp; reference:bugtraq,46926; reference:cve,2009-2650; classtype:attempted-user; sid:20237; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC webm memory corruption attempt"; flow:to_client,established; flowbits:isset,file.webm; file_data; content:"|1A 45 DF A3|"; depth:4; content:"webm"; within:4; distance:27; nocase; content:"|15 49 A9 66 01 00 00 00|"; distance:0; byte_test:4,>,1024,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46060; reference:cve,2011-0531; reference:url,videolan.org/security/sa1102.html; classtype:attempted-user; sid:20227; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA MPlayer SMI file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.smi; file_data; content:"|3C|SAMI|3E|"; content:"Start|3D|"; distance:0; nocase; isdataat:500,relative; content:!"Start|3D|"; within:500; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,49149; classtype:attempted-user; sid:20224; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player libdirectx_plugin.dll AMV parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"RIFF"; depth:4; content:"|00 00 00 02 00 00 00 00 00 10 00 A0 A0 00 00 78 00 00 00 10|"; fast_pattern:only; metadata:service http; reference:cve,2010-3275; classtype:attempted-user; sid:19883; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pls; content:"Accept-Ranges: bytes|0D 0A|"; fast_pattern:only; file_data; isdataat:1024; content:!"|0A|"; depth:1024; metadata:service http; reference:bugtraq,33589; reference:cve,2009-0476; reference:cve,2009-4656; reference:cve,2009-5109; classtype:attempted-user; sid:19621; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes PLS file parsing buffer overflow attempt"; flow:to_client,established; content:"|0D 0A 0D 0A|[playlist]"; nocase; content:"File"; distance:0; nocase; pcre:"/^File\d+\s*\x3D\s*[^\x2E\r\n]+\x2E[^\r\n]{32}/mi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,36478; reference:cve,2009-2817; classtype:attempted-user; sid:19560; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN vlc player subtitle buffer overflow attempt"; flow:to_client,established; file_data; content:"[Script Info]"; nocase; content:"[Events]"; distance:0; nocase; content:"Dialogue|3A|"; within:11; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; metadata:service http; reference:bugtraq,27015; reference:cve,2007-6681; classtype:attempted-admin; sid:18744; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"|23|EXTM3U"; depth:7; nocase; isdataat:1000; pcre:"/https?\x3a\x2f\x2f[^\n\r]{1000}/Ri"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2005-0043; classtype:attempted-user; sid:18484; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player Firefox plugin memory corruption attempt"; flow:to_client,established; flowbits:isset,file.wmv; file_data; content:"setTimeout|28 27|location|2E|reload|28 29 27 2C| 1000"; content:"autostart|3D|1 src=|22|invalid|2E|wmv|22|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2745; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-083; classtype:attempted-user; sid:17773; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer AVI parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strf"; content:"|08 00|"; within:2; distance:18; byte_test:4,>,0x100,16,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13530; reference:cve,2005-2052; classtype:attempted-user; sid:17272; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0D\x0A\x3C]{251}/mi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35500; reference:cve,2009-2484; classtype:attempted-user; sid:16751; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Worldweaver DX Studio Player plug-in command injection attempt"; flow:to_client,established; file_data; content:"<dxstudio"; fast_pattern:only; content:"shell.execute"; nocase; metadata:service http; reference:bugtraq,35273; reference:cve,2009-2011; classtype:attempted-user; sid:16744; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Multiple audio players playlist file handling heap overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u|file.pls; file_data; content:"http|3A 2F 2F|"; isdataat:262,relative; content:!"|0A|"; within:262; content:!" "; within:259; distance:3; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46926; reference:bugtraq,62926; reference:cve,2009-2650; reference:cve,2013-7409; reference:url,exploit-db.com/exploits/36022/; classtype:attempted-user; sid:16739; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Xenorate Media Player XPL file handling overflow attempt - 2"; flow:to_client,established; file_data; content:"AAAAAAAA|EB 06 90 90 4B 3F 01 11 90 90 90 90|"; fast_pattern:only; metadata:service http; classtype:attempted-user; sid:16738; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Xenorate Media Player XPL file handling overflow attempt - 1"; flow:to_client,established; file_data; isdataat:92; content:!"|00|"; depth:92; content:"|FD A4 00 10|"; depth:4; offset:92; metadata:service http; classtype:attempted-user; sid:16737; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA PLF playlist name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.plf; content:"Content-Type:"; nocase; http_header; content:"application/octet-stream"; within:50; nocase; http_header; file_data; isdataat:256,relative; content:!"|20|"; depth:256; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,21337; reference:cve,2006-6199; classtype:attempted-user; sid:16692; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes invalid tref box exploit attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"tref"; byte_test:4,>,19,-8,relative; pcre:"/^(\x00{4}|[\x80-\xff])/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-0531; reference:url,support.apple.com/kb/HT4105; classtype:attempted-dos; sid:16224; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes DAAP protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"daap|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)daap\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15706; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes PCAST protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"pcast|3A|//"; nocase; pcre:"/(\x22|\x27)pcast\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15705; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes ITMSS protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itmss|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itmss\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15704; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes ITMS protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itms|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itms\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15703; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime SMIL qtnext redirect file execution attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"qt|3A|next"; fast_pattern:only; pcre:"/qt\x3anext\s*\x3d\s*\x22\s*file\x3a\x2f{3}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,29650; reference:cve,2008-1585; classtype:attempted-user; sid:15487; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie record invalid version number exploit attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"mvhd|FF|"; within:5; distance:4; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-0956; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:15480; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pls; content:"Content-Length"; nocase; http_header; pcre:"/Content-Length\x3a\s*(\d{7}|[5-9]\d{5})/iH"; metadata:service http; reference:bugtraq,30341; classtype:attempted-user; sid:14020; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; content:"Content-Length"; nocase; http_header; pcre:"/Content-Length\x3a\s*(\d{7}|[5-9]\d{5})/iH"; metadata:service http; reference:bugtraq,30341; classtype:attempted-user; sid:14019; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"tmci"; byte_test:1,>=,251,24,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15306; reference:cve,2005-2753; classtype:attempted-user; sid:13918; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX malformed mjpeg arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strf"; content:"MJPG"; distance:0; byte_test:4,>,0x80000000,12,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-033; classtype:attempted-user; sid:13824; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX SAMI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.smi; file_data; content:"<SAMI"; nocase; content:"<STYLE"; distance:0; nocase; content:"text/css"; within:200; nocase; isdataat:600,relative; content:!"</STYLE"; within:600; pcre:"/\x3Cstyle[^\x3E]+?type\s*\x3D\s*(?P<q>(\x22|\x27|))text\x2Fcss(?P=q)[^\x3E]*\x3E.*^\s*\S+\s*\x7b[^\x7d]{500}/smiO"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-1444; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-033; classtype:attempted-user; sid:13823; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA 3ivx MP4 file parsing cpy buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4|file.avi; file_data; content:"|A9|cpy"; fast_pattern; content:"data"; within:4; distance:4; byte_test:4,>,512,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; reference:cve,2007-6402; classtype:attempted-user; sid:13320; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA 3ivx MP4 file parsing des buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4|file.avi; file_data; content:"|A9|des"; fast_pattern; content:"data"; within:4; distance:4; byte_test:4,>,512,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; reference:cve,2007-6402; classtype:attempted-user; sid:13319; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA 3ivx MP4 file parsing cmt buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi|file.mp4; file_data; content:"|A9|cmt"; fast_pattern; content:"data"; within:4; distance:4; byte_test:4,>,512,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; reference:cve,2007-6402; classtype:attempted-user; sid:13318; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA 3ivx MP4 file parsing ART buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4|file.avi; file_data; content:"|A9|ART"; fast_pattern; content:"data"; within:4; distance:4; byte_test:4,>,512,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; reference:cve,2007-6402; classtype:attempted-user; sid:13316; rev:18;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming audio spread error correction data length integer overflow attempt"; flow:to_client,established; file_data; content:"BFC3CD50-618F-11CF-8BB2-00AA00B4E220"; byte_test:4, >, 65522, 12, relative; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13160; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming format audio error masking integer overflow attempt"; flow:to_client,established; file_data; content:"49F1A440-4ECE-11d0-A3AC-00A0C90348F6"; byte_jump:4, 8, relative; byte_test:2, >, 65527, 14, relative; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13159; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming format interchange data integer overflow attempt"; flow:to_client,established; file_data; content:"35907DE0-E415-11CF-A917-00805F5C442B"; byte_test:2, >, 65476, 52, relative; metadata:policy max-detect-ips drop, service http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13158; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VLC Media Player udp URI format string attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"|23|EXTM3U"; content:"udp|3A|//"; distance:0; nocase; content:"%"; distance:0; pcre:"/\x23EXTM3U.*?udp\x3A\x2F\x2F[^\r\n]*%/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,21852; reference:cve,2007-0017; reference:url,projects.info-pull.com/moab/MOAB-02-01-2007.html; classtype:attempted-user; sid:9844; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt"; flow:to_client,established; file_data; content:"MThd"; depth:4; content:"|00 00 00 00 00 00|"; within:6; distance:4; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,21612; reference:cve,2006-6601; reference:cve,2007-0562; classtype:denial-of-service; sid:9801; rev:17;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime Movie link scripting security bypass attempt"; flow:to_client,established; file_data; content:"<?xml version"; nocase; content:"<?QuickTime type=|22|application/x-quicktime-media-link"; distance:0; nocase; pcre:"/<embed[^>]*javascript/smi"; metadata:service http; reference:bugtraq,20138; reference:cve,2006-4965; classtype:attempted-user; sid:9429; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie file component name integer overflow attempt"; flow:to_client,established; content:"video/quicktime"; nocase; http_header; pcre:"/^Content-Type\x3A\s*video\x2Fquicktime/smiH"; file_data; content:"hdlr"; nocase; byte_test:1,>,250,24,relative; metadata:service http; reference:bugtraq,15308; reference:cve,2005-2754; reference:url,docs.info.apple.com/article.html?artnum=302772; classtype:attempted-user; sid:4680; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie file component name integer overflow multipacket attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"hdlr"; nocase; byte_test:1,>,250,24,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,15308; reference:cve,2005-2754; reference:url,docs.info.apple.com/article.html?artnum=302772; classtype:attempted-user; sid:4679; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer VIDORV30 header length buffer overflow"; flow:to_client,established; file_data; content:".RMF"; nocase; content:"VIDORV30"; distance:0; byte_test:4,>,1000000,-16,relative; metadata:service http; reference:bugtraq,11309; reference:cve,2004-1481; reference:url,www.eeye.com/html/research/advisories/AD20041001.html; classtype:attempted-admin; sid:3470; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt"; flow:to_client,established; file_data; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; metadata:ruleset community, service http; reference:bugtraq,11730; reference:cve,2004-1119; reference:nessus,15817; classtype:attempted-user; sid:3088; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"application/smi"; fast_pattern; nocase; http_header; file_data; content:"file|3A|javascript|3A|"; pcre:"/<area\s+href=[\x22\x27]file\x3ajavascript\x3a/smi"; metadata:ruleset community, service http; reference:bugtraq,8453; reference:bugtraq,9378; reference:cve,2003-0726; classtype:attempted-user; sid:2437; rev:20;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime enof atom parsing heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"tapt"; byte_extract:4,-8,track_aperture_atom_siz,relative; content:"enof"; within:track_aperture_atom_siz; byte_test:4,<,0x14,-8,relative; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,60099; reference:cve,2013-0986; reference:url,support.apple.com/kb/HT5770; classtype:attempted-user; sid:27103; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime enof atom parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"tapt"; byte_extract:4,-8,track_aperture_atom_siz,relative; content:"enof"; within:track_aperture_atom_siz; byte_test:4,<,0x14,-8,relative; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,60099; reference:cve,2013-0986; reference:url,support.apple.com/kb/HT5770; classtype:attempted-user; sid:27102; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pls; content:"Accept-Ranges: bytes|0D 0A|"; fast_pattern:only; file_data; content:"|5B|playlist|5D|"; depth:15; isdataat:1024,relative; content:!"|0A|"; within:1024; distance:2; metadata:service http; reference:bugtraq,33589; reference:cve,2009-0476; reference:cve,2009-4656; reference:cve,2009-5109; classtype:attempted-user; sid:28392; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"tmci"; byte_test:1,>=,251,24,relative; metadata:policy max-detect-ips drop, service pop3, service smtp; reference:bugtraq,15306; reference:cve,2005-2753; classtype:attempted-user; sid:28443; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"hdlr"; byte_test:1,>=,251,24,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15306; reference:cve,2005-2753; classtype:attempted-user; sid:28442; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"text|00 00 00 00 00 00|"; content:"|00 00 00 00 00 00|"; within:6; distance:16; byte_test:1,>=,251,13,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15306; reference:cve,2005-2753; classtype:attempted-user; sid:28441; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt"; flow:to_client,established; file_data; content:"stageDom|00|http"; content:"System|00|security|00|allowDomain|00|AdSetupVersion|00|cID|00|aID|00|creativeID|00|"; within:62; distance:26; content:"|96 04 00 08 33 05 00 1D 96 02 00 08 26 1C 96 02 00 08|"; distance:0; content:"|06 00 09 21 01 09 22 01 1D 96 02 00 08 2D 1C 96 02 00 08 BC 49 12 9D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64201; reference:cve,2013-5332; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:29061; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pct; file_data; content:"|11 01|"; depth:2; offset:522; pcre:"/\x00[\x70-\x77]\x00[\x00-\x09]/R"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:29436; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|11 01|"; depth:2; offset:522; pcre:"/\x00[\x70-\x77]\x00[\x00-\x09]/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:29435; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_server,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|02 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service smtp; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29546; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_server,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service smtp; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29545; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_server,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|08 00|"; within:2; metadata:policy security-ips drop, service smtp; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29544; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_server,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|01 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service smtp; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29543; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_client,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|02 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29542; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_client,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29541; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_client,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|02 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|08 00|"; within:2; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29540; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA WAV processing buffer overflow attempt"; flow:to_client,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"WAVE"; within:25; content:"fmt "; distance:0; content:"|01 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:8; content:"|10 00|"; within:2; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56135; reference:cve,2012-4186; classtype:misc-activity; sid:29539; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Flip4Mac Windows media components WMV parsing memory corruption attempt"; flow:to_server,established; flowbits:isset,file.asf|file.wmv; file_data; content:"|26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C 0C B7 02 00 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,22286; reference:cve,2007-0466; reference:url,projects.info-pull.com/moab/MOAB-27-01-2007.html; classtype:attempted-user; sid:29521; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Flip4Mac Windows media components WMV parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.asf|file.wmv; file_data; content:"|26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C 0C B7 02 00 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,22286; reference:cve,2007-0466; reference:url,projects.info-pull.com/moab/MOAB-27-01-2007.html; classtype:attempted-user; sid:29520; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|52 58 6B 65 6B CD DC E0 DB A5 89 A8 4A BA A0 83 43 44 92 C6 A8 12 83 AC 6A 0C 05 E2 EE 96 01 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64201; reference:cve,2013-5332; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-08.html; classtype:attempted-user; sid:30152; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt"; flow:to_server,established; file_data; content:"stageDom|00|http"; content:"System|00|security|00|allowDomain|00|AdSetupVersion|00|cID|00|aID|00|creativeID|00|"; within:62; distance:26; content:"|96 04 00 08 33 05 00 1D 96 02 00 08 26 1C 96 02 00 08|"; distance:0; content:"|06 00 09 21 01 09 22 01 1D 96 02 00 08 2D 1C 96 02 00 08 BC 49 12 9D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64201; reference:cve,2013-5332; reference:url,helpx.adobe.com/security/products/flash-player/apsb13-28.html; classtype:attempted-user; sid:30151; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|52 58 6B 65 6B CD DC E0 DB A5 89 A8 4A BA A0 83 43 44 92 C6 A8 12 83 AC 6A 0C 05 E2 EE 96 01 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64201; reference:cve,2013-5332; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-08.html; classtype:attempted-user; sid:30150; rev:2;)
# alert tcp $EXTERNAL_NET [554,8554] -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt"; flow:to_client,established; content:"|20|"; depth:1; content:"RTSP/"; offset:1; nocase; pcre:"/^\x20.*?RTSP\x2F\s?\d\x2E\s?\d[^\n\r]/i"; metadata:service rtsp; reference:bugtraq,65131; reference:bugtraq,65139; reference:cve,2013-6933; reference:cve,2013-6934; reference:url,isecpartners.github.io/fuzzing/vulnerabilities/2013/12/30/vlc-vulnerability.html; classtype:attempted-user; sid:30215; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-MULTIMEDIA CoCSoft Stream Download session"; flow:to_server,established; content:"User-Agent|3A| CoCSoft Stream Download|0D 0A|"; fast_pattern:only; http_header; flowbits:set,cocsoft.stream; flowbits:noalert; metadata:service http; reference:bugtraq,51190; reference:cve,2011-5052; classtype:attempted-user; sid:30532; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA CoCSoft Stream Down SEH based buffer overflow attempt"; flow:to_client,established; flowbits:isset,cocsoft.stream; file_data; content:"|EB 06|"; content:"|48 94 01 10|"; within:4; distance:2; metadata:service http; reference:bugtraq,51190; reference:cve,2011-5052; classtype:attempted-user; sid:30531; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA CoCSoft Stream Down SEH based buffer overflow attempt"; flow:to_client,established; flowbits:isset,cocsoft.stream; file_data; content:"|EB 06|"; content:"|13 B2 05 10|"; within:4; distance:2; metadata:service http; reference:bugtraq,51190; reference:cve,2011-5052; classtype:attempted-user; sid:30530; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime long rnet atom size buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"|14 72 6E 65 74 00 00 00 00 00 00 00 05 00 00 00 01 00 00 00 1A 72 6D 76|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:bugtraq,56438; reference:cve,2012-3756; classtype:attempted-user; sid:30565; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime long rnet atom size buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|14 72 6E 65 74 00 00 00 00 00 00 00 05 00 00 00 01 00 00 00 1A 72 6D 76|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56438; reference:cve,2012-3756; classtype:attempted-user; sid:30564; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt"; flow:to_server,established; flowbits:isset,file.abc; file_data; content:"X:"; content:"|0D 0A|T:"; distance:0; content:"|0D 0A|P:"; distance:0; fast_pattern; pcre:"/^P:[A-G]\d{3}/m"; metadata:service smtp; reference:cve,2013-4233; classtype:attempted-user; sid:30764; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt"; flow:to_server,established; flowbits:isset,file.abc; file_data; content:"X:"; content:"|0D 0A|T:"; distance:0; content:"|0D 0A|P:"; distance:0; fast_pattern; content:"P:"; content:"("; within:10; content:"("; within:10; content:"("; within:10; metadata:service smtp; reference:cve,2013-4233; classtype:attempted-user; sid:30763; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt"; flow:to_client,established; flowbits:isset,file.abc; file_data; content:"X:"; content:"|0D 0A|T:"; distance:0; content:"|0D 0A|P:"; distance:0; fast_pattern; pcre:"/^P:[A-G]\d{3}/m"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-4233; classtype:attempted-user; sid:30762; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt"; flow:to_client,established; flowbits:isset,file.abc; file_data; content:"X:"; content:"|0D 0A|T:"; distance:0; content:"|0D 0A|P:"; distance:0; fast_pattern; content:"("; within:10; content:"("; within:10; content:"("; within:10; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-4233; classtype:attempted-user; sid:30761; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|A2 07|defaultValue|00|A|A0 00 00 00 0B|8|80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:30877; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A2 07|defaultValue|00|A|A0 00 00 00 0B|8|80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:30876; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt"; flow:to_server,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; depth:3; byte_test:2,!&,0xFFF0,1,relative,big; metadata:service smtp; reference:bugtraq,50741; reference:cve,2011-4259; classtype:attempted-user; sid:31376; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_server,established; file_data; content:"|FE 34 2D 67 73 13 05 AF 28 1D 46 15 B5 40 27 7D 02 21 5E 4B C3 0A 63 4E 28 50 99 0C 4E 82 E9 2D 19 23 7B A8 38 E6 86|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31524; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_server,established; file_data; content:"|24 D0 30 D0 60 09 68 03 D0 49 00 5D 0D 4A 0D 00 82 D5 10 08 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31523; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_server,established; file_data; content:"|A6 4F 32 6F 7B 76 B3 86 D1 55 33 05 B5 46 B6 78 9C C9 64 62 A8 23 99 8C 82 D9 A8 71 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31522; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_client,established; file_data; content:"|FE 34 2D 67 73 13 05 AF 28 1D 46 15 B5 40 27 7D 02 21 5E 4B C3 0A 63 4E 28 50 99 0C 4E 82 E9 2D 19 23 7B A8 38 E6 86|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31521; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_client,established; file_data; content:"|24 D0 30 D0 60 09 68 03 D0 49 00 5D 0D 4A 0D 00 82 D5 10 08 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31520; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_client,established; file_data; content:"|A6 4F 32 6F 7B 76 B3 86 D1 55 33 05 B5 46 B6 78 9C C9 64 62 A8 23 99 8C 82 D9 A8 71 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:31519; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt"; flow:to_server,established; content:".mov"; file_data; content:"{"; isdataat:1033,relative; content:!"}"; within:1033; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0664; classtype:attempted-user; sid:32739; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt"; flow:to_server,established; content:".mov"; file_data; content:"{"; isdataat:1033,relative; content:!"}"; within:1033; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-0664; classtype:attempted-user; sid:32738; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt"; flow:to_server,established; file_data; content:"stsd"; fast_pattern; content:"Motion JPEG"; within:11; distance:59; byte_extract:2,-30,width,relative; byte_extract:2,-28,height,relative; content:"tkhd"; content:"Video Media"; within:11; distance:199; content:"|00 00|"; within:2; distance:-147; byte_test:2,!=,width,-4,relative; content:"|00 00|"; within:2; distance:2; byte_test:2,!=,height,0,relative; metadata:service smtp; reference:cve,2013-1020; classtype:attempted-user; sid:32899; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt"; flow:to_client,established; file_data; content:"stsd"; fast_pattern; content:"Motion JPEG"; within:11; distance:59; byte_extract:2,-30,width,relative; byte_extract:2,-28,height,relative; content:"tkhd"; content:"Video Media"; within:11; distance:267; content:"|00 00|"; within:2; distance:-200; byte_test:2,!=,width,-4,relative; content:"|00 00|"; within:2; distance:2; byte_test:2,!=,height,-4,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1020; classtype:attempted-user; sid:32898; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Multiple media players M3U playlist file handling buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"|23|EXTM3U"; nocase; pcre:"/^[^\x0a]{501}/R"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,16410; reference:bugtraq,16623; reference:bugtraq,21206; reference:cve,2006-0476; reference:cve,2006-0708; reference:cve,2006-6063; classtype:attempted-user; sid:33043; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u; file_data; content:"#EXTM3U"; depth:7; content:!"#EXT-X-"; within:10; pcre:"/^\x23EXTM3U.{5}[^\x0d\x0a]{512}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,53933; reference:cve,2012-0677; classtype:attempted-user; sid:33041; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC 2.1.5 Media Player libavcodex memory corruption attempt"; flow:to_server, established; file_data; flowbits:isset,file.mpeg; content:"|57 27 0B 2C 00 00 01 B3 0C 17 F0 15 04 E2 23 80 00 00 01 B5 14 8A 00 01 00 00 00 00 01 B5|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-9598; classtype:attempted-user; sid:33206; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC 2.1.5 Media Player libavcodex memory corruption attempt"; flow:to_client, established; file_data; flowbits:isset,file.mpeg; content:"|57 27 0B 2C 00 00 01 B3 0C 17 F0 15 04 E2 23 80 00 00 01 B5 14 8A 00 01 00 00 00 00 01 B5|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-9598; classtype:attempted-user; sid:33205; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 malformed avc atom memory corruption attempt"; flow:established,to_server; flowbits:isset,file.mp4; file_data; content:"|61 76 63 43 01 42 C0 0D FF E1 00 1B 67 42 C0 0D 9A 74 0A 0F DF F8 07 80 0C 98 80 00 00 03 00 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0321; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33474; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 malformed avc atom memory corruption attempt"; flow:established,to_client; flowbits:isset,file.mp4; file_data; content:"|61 76 63 43 01 42 C0 0D FF E1 00 1B 67 42 C0 0D 9A 74 0A 0F DF F8 07 80 0C 98 80 00 00 03 00 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0321; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-04.html; classtype:attempted-user; sid:33473; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime Image Description Atom sign extension memory corruption attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"stsd"; content:"rpza"; distance:12; fast_pattern; content:"|00 00 00 00 00 00|"; within:6; byte_test:2,>,0x1FFC,18,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35166; reference:cve,2009-0955; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:33586; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"Vjpeg"; fast_pattern; content:"appl"; within:16; distance:12; byte_test:2,<,0xFA,8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:33578; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"Vjpeg"; fast_pattern; content:"appl"; within:16; distance:12; byte_test:2,<,0x37,10,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:33577; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"Vjpeg"; fast_pattern; content:"appl"; within:16; distance:12; byte_test:2,<,0xFA,8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:33576; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"Vjpeg"; fast_pattern; content:"appl"; within:16; distance:12; byte_test:2,<,0x37,10,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:33575; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player AVC parser integer overflow attempt"; flow:to_server,established; flowbits:isset,file.mp4; file_data; content:"|22 D1 AA 79 FD 5A 5B 6C 77 45 8F 7E 66 43 C1 B5 EE BA 3F 71 A2 D2 6D F0 6F 8E 6D 5F DF 7D AB 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0352; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34269; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player AVC parser integer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"|22 D1 AA 79 FD 5A 5B 6C 77 45 8F 7E 66 43 C1 B5 EE BA 3F 71 A2 D2 6D F0 6F 8E 6D 5F DF 7D AB 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0352; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; classtype:attempted-user; sid:34268; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF integer overflow attempt"; flow:to_server,established; flowbits:isset,file.xspf; file_data; content:"<extension"; nocase; content:"<vlc:id>"; within:1000; nocase; byte_test:10,>,100000,0,relative,string; metadata:service smtp; reference:bugtraq,48171; reference:cve,2011-2194; reference:url,videolan.org/security/sa1104.html; classtype:attempted-dos; sid:34344; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF integer overflow attempt"; flow:to_client,established; flowbits:isset,file.xspf; file_data; content:"<extension"; nocase; content:"<vlc:id>"; within:1000; nocase; byte_test:10,>,100000,0,relative,string; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,48171; reference:cve,2011-2194; reference:url,videolan.org/security/sa1104.html; classtype:attempted-dos; sid:34343; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pictmov; file_data; content:"|88 22 88 22 00 5C 00 08 00 08 00 71 00 09 00 02 00 02 00 6E 00 AA 00 6E 00 02 00 02 00 54 00 6E 00 AA 00 6E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:31309; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pictmov; file_data; content:"|88 22 88 22 00 5C 00 08 00 08 00 71 00 09 00 02 00 02 00 6E 00 AA 00 6E 00 02 00 02 00 54 00 6E 00 AA 00 6E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:31308; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer RealMedia URL length buffer overflow attempt"; flow:to_server,established; file_data; content:"[InternetShortcut]"; fast_pattern:only; content:"URL="; nocase; isdataat:500,relative; content:!"|0D|"; within:500; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,56956; reference:cve,2012-5691; classtype:attempted-user; sid:28962; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer RealMedia URL length buffer overflow attempt"; flow:to_client,established; file_data; content:"[InternetShortcut]"; fast_pattern:only; content:"URL="; nocase; isdataat:500,relative; content:!"|0D|"; within:500; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,56956; reference:cve,2012-5691; classtype:attempted-user; sid:28961; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Mozilla products Ogg Vorbis decoding memory corruption attempt"; flow:to_client,established; file_data; content:"OggS|00|"; depth:5; content:"|0A 42 64 86 A8 CA 34 3C 04 87 07 97 00 11 71 15|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,51753; reference:cve,2012-0444; classtype:attempted-user; sid:25297; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime text track descriptors heap buffer overflow attempt"; flow:to_client,established; file_data; content:"{QTtext}"; depth:8; pcre:"/\x7b[^\x3a\x7d]+?\x3a[^\x7d]{1023}/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0664; classtype:attempted-user; sid:24700; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4|file.m4v; file_data; content:"moov"; nocase; content:"trak"; distance:0; nocase; content:"mdia"; distance:0; nocase; content:"minf"; distance:0; nocase; content:"stbl"; distance:0; nocase; content:"stsd"; distance:0; nocase; content:"avc1"; distance:0; nocase; content:"avcC"; distance:0; nocase; content:"|FF E1|"; within:2; distance:4; byte_test:2,>=,0x8000,0,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-4381; reference:url,support.apple.com/kb/TA24355; classtype:attempted-user; sid:24640; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MOV Atom length buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"hspa"; content:"vrsg"; distance:0; byte_test:2,>,0x7000,14,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0667; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:24549; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes Extended M3U playlist record overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"#EXTM3U"; depth:7; content:!"#EXT-X-"; within:10; pcre:"/^\x23EXTM3U.{5}[^\x0d\x0a]{512}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,53933; reference:cve,2012-0677; classtype:attempted-user; sid:23271; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; byte_test:1,>,0xBF,0,relative; byte_test:1,<,0xF0,0,relative; byte_jump:2,1,relative,post_offset -4; content:"|FF FF FF FF|"; within:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0659; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:23170; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"vide"; distance:0; content:"stsd"; distance:0; content:"avc"; distance:0; content:"|FF E1|"; within:128; byte_test:2,>,256,0,relative; byte_test:2,>,256,21,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2140; reference:url,adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:23098; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom cprt field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"cprt|00|"; nocase; content:"|00 00 00 0D|"; within:4; distance:-9; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21342; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom 'dscp' field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"dscp|00|"; nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21341; rev:12;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom titl field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"titl|00|"; nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0754; reference:cve,2015-0360; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-06.html; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21340; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom auth field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"auth|00|"; nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21339; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt"; flow:to_client,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; depth:3; byte_test:2,!&,0xFFF0,1,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,50741; reference:cve,2011-4259; classtype:attempted-user; sid:21112; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player digital video recording buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.dvr-ms; file_data; content:"Vali"; byte_test:4,>,5000000,28,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-3401; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-092; classtype:attempted-user; sid:20734; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer QCP parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.qcp; file_data; content:"RIFF"; depth:4; content:"QLCMfmt|20|"; within:8; distance:4; byte_test:4,>,220,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2950; classtype:attempted-user; sid:20288; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC ModPlug ReadS3M overflow attempt"; flow:to_client,established; flowbits:isset,file.s3m; file_data; content:"SCRM"; depth:4; offset:44; byte_test:2,>,65,-12,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1574; classtype:attempted-user; sid:20284; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC ModPlug ReadS3M overflow attempt"; flow:to_client,established; flowbits:isset,file.s3m; file_data; content:"SCRM"; depth:4; offset:44; byte_test:2,>,65,-14,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1574; classtype:attempted-user; sid:20283; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"P|00|r|00|o|00|d|00|u|00|c|00|e|00|r|00|.|00|d|00|a|00|t|00 00 00|"; fast_pattern; nocase; byte_extract:4,94,low,relative,little; content:"W|00|m|00|t|00|o|00|o|00|l|00|s|00|V|00|a|00|l|00|i|00|d|00 00 00|"; distance:0; nocase; byte_test:4,>,low,94,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-016; classtype:attempted-user; sid:19956; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|06 AF E1 00 EC 7B D1 11 A5 82 00 C0 4F C2 9C FB|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19450; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"N|B8 98|f|FA 0A|0C|AE B2 1C 0A 98 D7 A4|M"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19449; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media pixel aspect ratio header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"T|E5 1E 1B EA F9 C8|K|82 1A|7kt|E4 C4 B8|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19448; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media content type header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:" |DC 90 D5 BC 07|lC|9C F7 F3 BB FB F1 A4 DC|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19447; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media file name header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|0E EC|e|E1 ED 19 D7|E|B4 A7|%|CB D1 E2 8E 9B|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19446; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Timecode header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"|EC 95 95|9g|86|-N|8F DB 98 81|L|E7|l|1E|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19445; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media sample duration header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|"; within:4; distance:4; byte_extract:4,-8,objectsize,relative,little; content:"P|94 BD C6 7F 86 07|I|83 A3 C7|y!|B7|3|AD|"; distance:68; fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19444; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp MIDI Timestamp buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mid; file_data; content:"|4D 55 53 1A C0 EB|"; depth:6; content:"|81 80 80 80 48|"; within:5; distance:308; fast_pattern; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,45221; classtype:attempted-user; sid:19432; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp MIDI Timestamp buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mid; file_data; content:"|4D 55 53 1A C0 EB|"; depth:6; content:"|81 80 80 80 48|"; within:5; distance:180; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,45221; classtype:attempted-user; sid:19431; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player Subtitle StripTags Heap Buffer Overflow"; flow:to_client,established; flowbits:isset,file.mkv; file_data; content:"|80 00 00 00 A0 B9 A1 B3 83 05 0C 00 3C 66 6F 6F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46008; reference:cve,2011-0522; classtype:attempted-user; sid:19421; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player Subtitle StripTags Heap Buffer Overflow"; flow:to_client,established; flowbits:isset,file.mkv; file_data; content:"|40 A0 83 03 8F 00 3C 70 6F 63|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46008; reference:cve,2011-0522; classtype:attempted-user; sid:19420; rev:12;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows AVI cinepak codec decompression remote code execution attempt"; flow:to_server,established; file_data; content:"strh"; content:"vidscvid"; within:8; distance:4; content:"movi00dc"; byte_test:2,>,3,12,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,42256; reference:cve,2010-2553; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-055; classtype:attempted-user; sid:19403; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows AVI Header insufficient data corruption attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"RIFF"; fast_pattern; content:"AVI "; within:4; distance:4; content:"avih"; distance:0; byte_extract:4,0,chunk_size,little,relative; isdataat:!chunk_size,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35967; reference:cve,2009-1545; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-038; classtype:attempted-user; sid:19320; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strlstrh"; fast_pattern; nocase; byte_jump:4,0,relative,little; content:!"strf"; within:4; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46047; reference:cve,2010-4393; classtype:attempted-user; sid:19169; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player SWF file MP4 data parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stsc"; byte_test:4,>,0xFFFF,12,relative,big; byte_jump:4,-8,relative,big; content:"stsz"; within:4; byte_test:4,>,10,8,relative,big; pcre:"/^.{12}([^\x00].{3}){10}/sR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40801; reference:cve,2010-2162; reference:url,www.adobe.com/support/security/bulletins/apsb10-14.html; classtype:attempted-user; sid:19148; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX quartz.dll MJPEG content processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|32 32 32 32 32 32 FF C0 00 0B 08 00 F0 01 40 01 9C 11 01 FF DD 00 04 00 00 FF C4 00 9F 01 72 12 00 00 00 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40432; reference:cve,2010-1879; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:19146; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player JPG header record mismatch memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"LIST"; content:"strl"; within:4; distance:4; content:"strf"; distance:0; content:"MJPG"; within:4; distance:20; content:"LIST"; distance:0; content:"movi"; within:4; distance:4; content:"|FF C0|"; distance:0; byte_extract:1,7,cnt,relative; content:"|FF DA|"; within:490; byte_test:1,!=,cnt,2,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40464; reference:cve,2010-1880; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:19143; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer IVR handling heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer; file_data; content:"|01 00 00 00 00 00 00 5C 00 00 00 78 E0 00 00 05 40 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46946; reference:cve,2011-1525; classtype:attempted-user; sid:19127; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer IVR handling heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer; file_data; content:"|08 00 00 00 00 00 00 00 00 02 00 00 04 4E 00 01 03 00 00 00 00 00 03 CA 00 00 03 E6 E0 00 00 05 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46946; reference:cve,2011-1525; classtype:attempted-user; sid:19126; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker string size overflow attempt"; flow:to_client,established; flowbits:isset,file.mswmm; file_data; content:"|00 12 00 00|AAAAAAAAAAAA"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2564; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-050; classtype:attempted-user; sid:19063; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime streaming debug error logging buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"<smil"; fast_pattern:only; content:"src"; nocase; isdataat:449,relative; pcre:"/^\s*\=\s*(?![\x22\x27]?http(|s|1|s1)\x3a\x2f{2})(\x22[^\x22]{449}|\x27[^\x27]{449}|\S{449})/iR"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,41962; reference:cve,2010-1799; classtype:attempted-user; sid:18928; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player network sharing service RTSP code execution attempt"; flow:to_server,established; content:"SETUP"; depth:5; content:"rtsp|3A 2F 2F|"; within:7; distance:1; content:"|0D 0A 0D 0A|"; distance:0; isdataat:8,relative; content:!"OPTIONS"; within:7; content:!"DESCRIBE"; within:8; content:!"SETUP"; within:5; metadata:policy max-detect-ips drop; reference:bugtraq,43776; reference:cve,2010-3225; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-075; classtype:attempted-user; sid:17753; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt"; flow:to_client,established; content:"Transfer-Encoding"; nocase; http_header; content:"chunked"; fast_pattern; nocase; http_header; content:"Content-Type|3A|"; nocase; http_header; pcre:"/Content-Type\x3a[^\x10\x13]*real(audio|video)/smiH"; content:"HTTP"; within:4; nocase; rawbytes; content:"|0D 0A 0D 0A|"; distance:0; isdataat:1024,relative; pcre:"/([^\x0A]{1024,}|.*?\x0A[^\x0A]{1024,})/smiR"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17202; reference:cve,2005-2922; classtype:attempted-user; sid:17666; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stts"; content:"|00 00 00 00 00 00 00 01 EE 00 00 26 00 00 04 00 00|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17612; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stss"; content:"|00 00 00 00 00 00 00 03 00 00 00 01 00 FF FF FF|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17611; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"ctts"; content:"|00 00 00 00 00 00 00 8F 00 00 00 01 00 00 00 14 00 FF FF FF|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17610; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA ffdshow codec URL parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; fast_pattern:only; content:"<param "; nocase; content:"URL"; distance:0; nocase; pcre:"/<param\s+name\s*=\s*(?P<q1>\x22|\x27|)URL(?P=q1)[^>]+?value\s*=\s*(\x22|\x27)[^\x22\x27]{500}/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32438; reference:cve,2008-5381; classtype:attempted-user; sid:17573; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer IVR Overly Long Filename Code Execution attempt"; flow:to_client,established; file_data; content:"|1F 5C 80 00 00 08 72 61 6D 34 2E 72 65 63 00 00 00 00 00 00 01 79|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33652; reference:cve,2009-0375; classtype:attempted-user; sid:17561; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime SMIL File Handling Integer Overflow attempt"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"<smil>"; pcre:"/meta\s*name\x3d\s*(?P<q1>(\x22|\x27|))(author|copyright|title|information)\s*(?P=q1)/smiR"; content:"content|3D 22|"; distance:1; nocase; isdataat:1024,relative; content:!"|22|"; within:1024; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24873; reference:cve,2007-2394; classtype:attempted-user; sid:17548; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|55 12 FE 3F 35 F2 C0 00 00 00 0B 01 03 0A B1 54 0D 02 4A E3 17 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23650; reference:cve,2007-2295; classtype:attempted-user; sid:17531; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player MP4_BoxDumpStructure Buffer Overflow"; flow:to_client,established; file_data; content:"|6F 76 00 00 19 FE 6D 6F 6F 76 00 00 19 F6 6D 6F|"; content:"|6F 76 00 00 19 CE 6D 6F 6F 76 00 00 19 C6 6D 6F|"; offset:32; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35232; reference:cve,2009-1122; classtype:attempted-user; sid:17527; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime H.264 Movie File Buffer Overflow"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|81 F6 3B 80 00 00 40 80 FF FF FF 87 25 B8 20 00|"; content:"|F9 31 40 00 52 EA FB EF BE FB EF BE FB EF BE FB|"; within:16; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,36328; reference:cve,2009-2799; classtype:attempted-user; sid:17523; rev:16;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime|file.jpeg; file_data; content:"|00 00 00 56 6A 70 65 67 00 00 00 00 00 00 00 01 00 00 00 00 61 70 70 6C 00 00 00 00 00 00 02 00 00 02 00 03 00 48 00 00 00 48 00 00 00 00 00 00 00 01 0C 50 68 6F 74 6F 20 2D 20 4A 50 45 47 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:17470; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Mplayer Real Demuxer stream_read heap overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer; file_data; content:".RMF"; depth:4; content:"|14 76 69 64 65 6F 2F 78 2D 70 6E 2D 72 65 61 6C 76 69 64 65 6F 00 00 00 1A 59 49 59 55 56 49 44 4F 52 56 32 30 00 01 00 01 00 1E 59 49 59 55 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31473; reference:cve,2008-3827; classtype:attempted-user; sid:17469; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft DirectShow AVI decoder buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"strn"; distance:0; nocase; byte_test:4,>,128,0,relative, little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15063; reference:cve,2005-2128; classtype:attempted-user; sid:17443; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime PDAT Atom parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|00 00 00 01 0F 00 00 00 FE B4 00 00 FE 01 1A C4 42 01 1A C4 41 1A EC EC 42 81 1A C4 43 81 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-3625; reference:url,support.apple.com/kb/HT3027; classtype:attempted-user; sid:17381; rev:14;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime panorama atoms buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"pano"; content:"pdat"; within:250; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:4; byte_test:4,>,104,-20,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26342; reference:cve,2007-4675; classtype:attempted-user; sid:17373; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime udta atom parsing heap overflow vulnerability"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"udta"; content:"|A9|nam|FF|"; distance:0; byte_test:2,>,251,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22844; reference:cve,2007-0714; classtype:attempted-user; sid:17372; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime marshaled punk remote code execution"; flow:to_client,established; file_data; content:"_Marshaled_pUnk"; nocase; pcre:"/name\s*=\s*(?P<q1>\x22|\x27|)_Marshaled_pUnk(?P=q1)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1818; classtype:attempted-user; sid:17211; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC renamed zip file handling code execution attempt - 3"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|50 4B 03 04|"; depth:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40428; classtype:attempted-user; sid:17150; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC renamed zip file handling code execution attempt - 2"; flow:to_client,established; flowbits:isset,file.mp3; file_data; content:"|50 4B 03 04|"; depth:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40428; classtype:attempted-user; sid:17149; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC renamed zip file handling code execution attempt - 1"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"|50 4B 03 04|"; depth:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40428; classtype:attempted-user; sid:17148; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker string size overflow attempt"; flow:to_client,established; flowbits:isset,file.mswmm; file_data; content:"|00 10 00 00|AAAAAAAAAAAA"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2564; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-050; classtype:attempted-user; sid:17135; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows AVI cinepak codec decompression remote code execution attempt"; flow:to_client,established; file_data; content:"strh"; content:"vidscvid"; within:8; distance:4; content:"movi00dc"; byte_test:2,>,3,12,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42256; reference:cve,2010-2553; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-055; classtype:attempted-user; sid:17128; rev:19;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows MPEG Layer-3 audio heap corruption attempt"; flow:to_client,established; file_data; content:"|A9 00 04 48 58 DC E1 83 4B 68 32 01 9B BC 04 A3 27 0E A5 3D 71 66 0D 2D A8 D3 84 AF 3C 14 88 94|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1882; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-052; classtype:attempted-user; sid:17117; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xspf; file_data; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0A\x0D\x3C]{251}/mi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35500; reference:cve,2009-2484; classtype:attempted-user; sid:16752; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player TY processing buffer overflow attempt"; flow:to_client,established; file_data; content:"|F5 46 7A BD 00 00 00 02 00 02 00 00|"; depth:12; byte_test:4,>,32,8,relative,big; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31813; reference:cve,2008-4654; classtype:attempted-user; sid:16720; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp CAF file processing integer overflow attempt"; flow:to_client,established; file_data; content:"caff|00 01 00 00|desc"; depth:12; byte_test:4,>,268435455,32,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33963; reference:cve,2009-0186; classtype:attempted-user; sid:16683; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX quartz.dll MJPEG content processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|8E 8C 8B 8E 8C 8B 8E 8C 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C FF C4 00 9F 01 72 12 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1879; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:16661; rev:20;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player codec code execution attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strh"; content:"auds"; within:4; distance:4; fast_pattern; byte_jump:4,-8,relative,little; isdataat:16,relative; content:"strf"; within:4; content:"U|00|"; within:2; distance:4; byte_test:4,!=,48000,2,relative,little; byte_test:4,!=,44100,2,relative,little; byte_test:4,!=,32000,2,relative,little; byte_test:4,!=,24000,2,relative,little; byte_test:4,!=,22050,2,relative,little; byte_test:4,!=,16000,2,relative,little; byte_test:4,!=,12000,2,relative,little; byte_test:4,!=,11025,2,relative,little; byte_test:4,!=,8000,2,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0480; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-026; classtype:attempted-user; sid:16543; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime Image Description Atom sign extension memory corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stsd"; content:"rpza"; distance:12; fast_pattern; content:"|00 00 00 00 00 00|"; within:6; byte_test:2,>,0x1FFC,18,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35166; reference:cve,2009-0955; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:16360; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA FFmpeg OGV file format memory corruption attempt"; flow:to_client,established; file_data; content:"OggS"; depth:4; content:"|82|theora"; distance:0; byte_test:1,!&,0xE0,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,36465; reference:cve,2009-4631; reference:cve,2009-4632; reference:cve,2009-4633; reference:cve,2009-4634; reference:cve,2009-4635; reference:cve,2009-4636; reference:cve,2009-4637; reference:cve,2009-4638; reference:cve,2009-4639; reference:cve,2009-4640; reference:url,secunia.com/advisories/36805; classtype:attempted-user; sid:16353; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile truncated media file processing memory corruption attempt"; flow:to_client,established,only_stream; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST"; within:8; distance:4; content:"hdrlavih8|00 00 00|"; within:12; distance:4; isdataat:!56,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:16342; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime and iTunes heap memory corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"dinf|00 00 00 1C|dref|00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15732; reference:cve,2005-4092; classtype:attempted-user; sid:16148; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes AAC file handling integer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"mp4a"; content:"stsc"; distance:0; byte_jump:4,-8,relative,big; content:"stsz"; within:4; byte_test:4,<,257,-8,relative,big; byte_test:4,>,60,8,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18730; reference:cve,2006-1467; classtype:attempted-user; sid:16055; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer RealMedia file format processing heap corruption attempt"; flow:to_client,established; file_data; content:"DATA|00 00|A'|00 00 00 00 00|'|00 00 00 00 00 00 01|<|FF FF|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26214; reference:cve,2007-5081; classtype:attempted-user; sid:16046; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime FLIC animation file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.fli; file_data; content:"|FA F1 02 00 00 00 00 00 00 00 00 00 0A 03 00 00 0B 00 01 00 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19976; reference:cve,2006-4384; classtype:attempted-user; sid:16041; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp midi file header overflow attempt"; flow:to_client,established; flowbits:isset,file.mid; file_data; content:"MThd|00 00 00 06 00 00 00 01 00|`MTrk"; byte_test:4,>,2147483648,8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,18507; reference:cve,2006-3228; classtype:attempted-user; sid:16027; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime color table id memory corruption attempt"; flow:to_client,established; file_data; content:"|00 00 00 00 18 00 00 00 00 00 0C 67 61 6D 61 00 01 CC CC 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,22839; reference:cve,2007-0718; reference:url,docs.info.apple.com/article.html?artnum=305149; classtype:attempted-user; sid:16006; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX malformed mjpeg arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|50 2E 00 00 10 27 00 00 00 00 00 00 00 00 00 00 40 01 F0 00|strf|28 00 00 00 28 00 00 00 40 00 00 00 F0 00 00 00 01 00 18 00|MJPG|00 84|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-033; classtype:attempted-user; sid:15995; rev:16;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer Multiple Products RA file processing overflow attempt"; flow:to_client,established; file_data; content:".ra|FD 00 04 00 00|.ra4|00 00 00 89 00 04 0F FF FF FF|"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26214; reference:cve,2007-2264; classtype:attempted-user; sid:15940; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime VR Track Header Atom heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"trak"; content:"tkhd|00 00 00 0F|"; within:8; distance:4; fast_pattern; isdataat:40,relative; pcre:"/trak.{4}tkhd.{40}(?=.{20})(?!\x00\x01\x00\x00.{12}\x00\x01\x00\x00)/s"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33384; reference:cve,2009-0002; reference:url,support.apple.com/kb/HT3403; classtype:attempted-user; sid:15909; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp AIFF parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.aiff; file_data; content:"FORM"; depth:4; nocase; content:"AIF"; within:3; distance:4; fast_pattern; nocase; content:"COMM"; within:4; distance:1; byte_test:4,>,0xD9EF,0,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33226; reference:cve,2009-0263; classtype:attempted-user; sid:15901; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA FFmpeg 4xm processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.4xm; file_data; content:"strk|28 00 00 00|"; byte_test:4,>,0x7ffffffe,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33502; reference:cve,2009-0385; classtype:attempted-user; sid:15871; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile media file processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST"; within:8; distance:4; content:"hdrlavih"; within:8; distance:4; byte_test:4,!=,56,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:15854; rev:18;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iTunes ITPC protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itpc|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itpc\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15707; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow QuickTime file stsc atom parsing heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stbl"; content:"stsd"; within:4; distance:4; content:"ima4"; distance:8; content:"stsc"; distance:0; byte_jump:4,4,relative,multiplier 12,big; isdataat:7,relative; content:!"stsz"; within:4; distance:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-1538; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-028; classtype:attempted-user; sid:15682; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie file clipping region handling heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"clip"; content:"crgn"; within:4; distance:4; byte_jump:4,-8,relative,big; content:!"|7F FF 7F FF|"; within:4; distance:-8; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35167; reference:cve,2009-0954; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:15559; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows AVI DirectShow QuickTime parsing overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"vide"; distance:0; content:"stsd"; distance:0; fast_pattern; byte_test:1,>,31,58,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35139; reference:cve,2009-1537; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-028; classtype:attempted-user; sid:15517; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Multiple media players M3U playlist file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|23|EXTM3U|0D 0A|"; depth:9; nocase; content:"|23|EXTINF:"; within:50; nocase; isdataat:400,relative; pcre:"/\x23EXTINF\:\d*\,\w*\x0D\x0A[^\x0A]{401}/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16410; reference:bugtraq,16623; reference:bugtraq,21206; reference:cve,2006-0476; reference:cve,2006-0708; reference:cve,2006-6063; classtype:attempted-user; sid:15473; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Multiple MP3 player PLS buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pls; file_data; content:"[playlist]"; fast_pattern; nocase; content:"File"; distance:0; nocase; content:"="; within:5; distance:1; isdataat:500,relative; content:!"|0A|"; within:500; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16410; reference:bugtraq,33589; reference:cve,2006-0476; reference:cve,2009-0476; classtype:attempted-user; sid:15472; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|00 11 02 FF 0C 00|"; depth:6; offset:522; pcre:"/\x00[\x70-\x77]\x00[\x00-\x09]/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:15384; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC real.c ReadRealIndex real demuxer integer overflow attempt"; flow:to_client,established; flowbits:isset,file.realmedia; file_data; content:"INDX"; content:"|00 00|"; within:2; distance:4; byte_test:4,>,0x15555554,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32545; reference:cve,2008-5276; classtype:attempted-user; sid:15241; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime for Java toQTPointer function memory corruption attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"toQTPointer"; content:"quicktime/util/QTPointerRef"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23608; reference:cve,2007-2175; classtype:attempted-user; sid:15238; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player RealText buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"<time "; nocase; pcre:"/\x3ctime\x20[^\x3e]*(begin|end)\x3d\x22[^\x22]{13}/Osmi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-5036; classtype:attempted-user; sid:15166; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xspf; file_data; content:"<trackList>"; nocase; content:"<track>"; within:200; nocase; content:"<identifier>-"; within:1000; nocase; content:"</track>"; within:1000; nocase; content:"</trackList>"; within:200; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4558; classtype:attempted-user; sid:15157; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Visual Basic 6.0 malformed AVI buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI "; within:4; distance:4; content:"strf"; byte_test:4,>,1088,0,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-4255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15104; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player WAV processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.wav; file_data; content:"RIFF"; content:"WAVEfmt"; distance:4; byte_test:4,>,0xfffffffc,1,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30058; reference:cve,2008-2430; classtype:misc-activity; sid:15080; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime Obji Atom parsing stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"obji"; byte_test:4,<,20,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,28583; reference:cve,2008-1022; classtype:attempted-user; sid:13920; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"text|00 00 00 00 00 00|"; content:"|00 00 00 00 00 00|"; within:6; distance:16; byte_test:1,>=,251,13,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15306; reference:cve,2005-2753; classtype:attempted-user; sid:13919; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"hdlr"; byte_test:1,>=,251,24,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,15306; reference:cve,2005-2753; classtype:attempted-user; sid:13917; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple Quicktime malformed idsc atom"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"idsc"; byte_test:4,<,94,-8,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0033; classtype:attempted-user; sid:13517; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime HTTP error response buffer overflow"; flow:to_client,established; flowbits:isset,quicktime_agent; content:"HTTP/1.1 404"; isdataat:256,relative; content:!"|0A|"; within:256; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27225; reference:cve,2008-0234; classtype:attempted-user; sid:13516; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-MULTIMEDIA Apple QuickTime user agent"; flow:to_server,established; content:"User-Agent|3A| QuickTime"; fast_pattern:only; http_header; flowbits:set,quicktime_agent; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:13515; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA 3ivx MP4 file parsing nam buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi|file.mp4; file_data; content:"|A9|nam"; fast_pattern; content:"data"; within:4; distance:4; byte_test:4,>,512,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,19976; reference:bugtraq,26773; reference:cve,2006-4386; reference:cve,2007-6401; reference:cve,2007-6402; classtype:attempted-user; sid:13317; rev:21;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime panorama atoms buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"pano"; content:"pdat"; within:250; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:4; byte_test:4,>,104,-20,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26342; reference:cve,2007-4675; classtype:attempted-user; sid:13293; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX SAMI file CRawParser buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.smi; file_data; content:"<SAMI>"; fast_pattern:only; pcre:"/\x3C\S+\s+[^\x3E]*?(\x22[^\x22]{500}|\x27[^\x27]{500}|[^\x3E\x20\x09]{500})/O"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3901; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:12983; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"idx1"; nocase; byte_test:4,>,4294967286,0,little,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:12971; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime invalid stsd atom out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"stbl"; distance:0; byte_extract:4,-8,stbl_size,relative; content:"stsd"; within:stbl_size; distance:-4; content:"|00 00 00|"; within:3; distance:1; byte_test:4,>,0,0,relative; byte_test:4,<,12,4,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26341; reference:cve,2007-3750; reference:cve,2015-3789; reference:url,support.apple.com/en-us/HT205031; reference:url,talosintel.com/reports/2015/08/13/TALOS-2015-0013.html; classtype:attempted-user; sid:12746; rev:24;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA FLAC libFLAC picture metadata buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.flac; file_data; content:"fLaC"; content:"|06|"; content:"|FF FF FF FF|"; within:4; distance:7; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12745; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA FLAC libFLAC VORBIS string buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.flac; file_data; content:"fLaC"; content:"|04|"; content:"|FF FF FF FF|"; within:4; distance:3; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12744; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA FLAC libFLAC picture description metadata buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.flac; file_data; content:"fLaC"; content:"|06|"; byte_jump:4,7,relative; content:"|FF FF FF FF|"; within:4; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26042; reference:cve,2007-4619; classtype:attempted-user; sid:12743; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks SMIL wallclock stack overflow attempt"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"<smi"; nocase; content:"wallclock|28|"; pcre:"/^[^\x29]*\x2E[0-9]{11}/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24658; reference:cve,2007-3410; classtype:attempted-user; sid:12728; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer lyrics heap overflow attempt"; flow:to_client,established; flowbits:isset,file.mp3; file_data; content:"LYRICSBEGIN"; nocase; pcre:"/(EAL|EAR|ETT)\s*-0{0,4}1/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,26214; reference:cve,2007-5080; classtype:attempted-user; sid:12707; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer SMIL wallclock parsing buffer overflow"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"smil "; nocase; content:"wallclock|28|"; distance:0; nocase; pcre:"/wallclock\x28((\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11}|\d{4}-\d{2}-\d{2}T(\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11})/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,24658; reference:cve,2007-3410; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=547; classtype:attempted-user; sid:12219; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie ftyp buffer underflow"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|00 00 00 01|ftyp"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,23652; reference:cve,2007-2296; classtype:attempted-user; sid:11180; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime HREF Track Detected"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"> T<"; fast_pattern:only; pcre:"/A?<\s*([A-Za-z]{3,5}\x3A\x2F\x2F|javascript\x3a)[^>]+> T</sm"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0059; reference:url,projects.info-pull.com/moab/MOAB-03-01-2007.html; reference:url,www.apple.com/quicktime/tutorials/hreftracks.html; classtype:misc-activity; sid:9840; rev:23;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime RTSP URI overflow attempt"; flow:to_client,established; file_data; content:"rtsp|3A|//"; nocase; pcre:"/(=\s*([\x27\x22]rtsp\x3A[^\x22\x27\s]{200}|rstp\x3A[^\s\x3E]{200})|\x3Csrc\x3Ertsp\x3A[^\x3C]{200})/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21829; reference:cve,2007-0015; reference:url,applefun.blogspot.com/2007/01/moab-01-01-2007-apple-quicktime-rtsp.html; classtype:attempted-user; sid:9823; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime Movie link file URI security bypass attempt"; flow:to_client,established; file_data; content:"<?xml version"; nocase; content:"<?QuickTime type=|22|application/x-quicktime-media-link"; distance:0; nocase; content:"qtnext=|22|"; distance:0; nocase; pcre:"/qtnext=\x22((-e\s+|-chrome\s+)?(file|javascript))/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20138; reference:cve,2006-4965; classtype:attempted-user; sid:9430; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer error message format string vulnerability attempt"; flow:to_client,established; file_data; content:"<imfl>"; nocase; pcre:"/<[^>]*?\x25/ROsmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14945; reference:cve,2005-2710; classtype:attempted-user; sid:8091; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime udta atom overflow attempt"; flow:to_client,established; file_data; content:"udta"; byte_test:4,>,4294967291,-8,relative; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17953; reference:cve,2006-1460; classtype:attempted-user; sid:6506; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows wmf file arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"&"; content:"|09 00|"; within:2; distance:1; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,16074; reference:cve,2005-4560; reference:cve,2007-3034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-046; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-001; classtype:web-application-attack; sid:5318; rev:20;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer realtext file bad version buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rt; file_data; content:"<window"; nocase; content:"version"; distance:0; nocase; pcre:"/<window\s+version\s*=\s*(?!(1\.[02456]))/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,14048; reference:cve,2005-1766; reference:nessus,18558; classtype:attempted-user; sid:3823; rev:21;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer SMIL file overflow attempt"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"<smil>"; nocase; content:"system-screen-size=|22|"; distance:0; nocase; isdataat:256,relative; content:!"|22|"; within:256; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,12698; reference:cve,2005-0455; classtype:attempted-user; sid:3473; rev:24;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer playlist rtsp URL overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13264; reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2005-0755; classtype:attempted-user; sid:2440; rev:23;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer playlist http URL overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13264; reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2005-0755; classtype:attempted-user; sid:2439; rev:23;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer playlist file URL overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13264; reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2005-0755; classtype:attempted-user; sid:2438; rev:23;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Windows Media Player ASF marker object memory corruption attempt "; flow:established,to_client; flowbits:isset,file.asf; file_data; content:"|34 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; byte_test:4,>,134217727,24,relative,little; metadata:service http; reference:cve,2009-2527; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-052; classtype:attempted-user; sid:16156; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple Quicktime corrupt stbl atom out of bounds read attempt"; flow:to_server,established; file_data; content:"ftyp"; depth:4; offset:4; content:"mdia"; content:"hdlr"; within:200; content:"vide"; within:200; content:"minf"; distance:0; byte_extract:4,-8,minf_size,relative; isdataat:minf_size,relative; content:!"stbl"; within:minf_size; metadata:service smtp; reference:cve,2015-3667; reference:url,support.apple.com/en-us/HT204942; classtype:attempted-user; sid:35023; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple Quicktime corrupt stbl atom out of bounds read attempt"; flow:to_client,established; file_data; content:"ftyp"; depth:4; offset:4; content:"mdia"; content:"hdlr"; within:200; content:"vide"; within:200; content:"minf"; distance:0; byte_extract:4,-8,minf_size,relative; isdataat:minf_size,relative; content:!"stbl"; within:minf_size; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3667; reference:url,support.apple.com/en-us/HT204942; classtype:attempted-user; sid:35022; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple iLife iPhoto Photocast XML format string code injection attempt"; flow:to_server,established; file_data; content:"www.apple.com/ilife/wallpapers"; fast_pattern:only; content:"<title>"; nocase; content:"%n"; distance:0; content:"</title>"; within:10; nocase; metadata:service smtp; reference:bugtraq,21871; reference:cve,2007-0051; classtype:attempted-user; sid:35414; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple iLife iPhoto Photocast XML format string code injection attempt"; flow:to_client,established; file_data; content:"www.apple.com/ilife/wallpapers"; fast_pattern:only; content:"<title>"; nocase; content:"%n"; distance:0; content:"</title>"; within:10; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,21871; reference:cve,2007-0051; classtype:attempted-user; sid:35413; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime invalid mvhd atom size out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"mvhd|00 00 00 00|"; byte_test:4,<,0x6c,-12,relative; metadata:service smtp; reference:cve,2015-3790; reference:url,support.apple.com/en-us/HT205031; reference:url,talosintel.com/reports/2015/08/13/TALOS-2015-0014.html; classtype:attempted-user; sid:35568; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime invalid mvhd atom size out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"mvhd|00 00 00 00|"; byte_test:4,<,0x6c,-12,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3790; reference:url,support.apple.com/en-us/HT205031; reference:url,talosintel.com/reports/2015/08/13/TALOS-2015-0014.html; classtype:attempted-user; sid:35567; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime esds atom buffer overread attempt"; flow:to_server,established; file_data; content:"ftyp"; depth:4; offset:4; content:"esds"; content:"|05 22|"; within:26; content:"|01 B5 0E E0 C0 C0 CF|"; within:7; distance:7; content:"|C1 44 3F 06|"; within:4; distance:17; metadata:service smtp; reference:cve,2015-3791; reference:url,support.apple.com/en-us/HT205031; reference:url,talosintel.com/reports/2015/08/13/TALOS-2015-0015.html; classtype:attempted-user; sid:35564; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime esds atom buffer overread attempt"; flow:to_client,established; file_data; content:"ftyp"; depth:4; offset:4; content:"esds"; content:"|05 22|"; within:26; content:"|01 B5 0E E0 C0 C0 CF|"; within:7; distance:7; content:"|C1 44 3F 06|"; within:4; distance:17; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3791; reference:url,support.apple.com/en-us/HT205031; reference:url,talosintel.com/reports/2015/08/13/TALOS-2015-0015.html; classtype:attempted-user; sid:35563; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt"; flow:to_server,established; file_data; content:"|29 06 A0 E5 05 00 5A 6F 2D 06 A4 E5 16 01 15 BF 2D 27 A4 E6 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3792; reference:url,support.apple.com/en-us/HT205031; reference:url,talosintel.com/reports/2015/08/13/TALOS-2015-0017.html; classtype:attempted-user; sid:35562; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt"; flow:to_client,established; file_data; content:"|29 06 A0 E5 05 00 5A 6F 2D 06 A4 E5 16 01 15 BF 2D 27 A4 E6 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3792; reference:url,support.apple.com/en-us/HT205031; reference:url,talosintel.com/reports/2015/08/13/TALOS-2015-0017.html; classtype:attempted-user; sid:35561; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime invalid stsd atom out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"stbl"; distance:0; byte_extract:4,-8,stbl_size,relative; content:"stsd"; within:stbl_size; distance:-4; content:"|00 00 00|"; within:3; distance:1; byte_test:4,>,0,0,relative; byte_test:4,<,12,4,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26341; reference:cve,2007-3750; reference:cve,2015-3789; reference:url,support.apple.com/en-us/HT205031; reference:url,talosintel.com/reports/2015/08/13/TALOS-2015-0013.html; classtype:attempted-user; sid:35560; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime tkhd atom matrix integer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"trak"; content:"tkhd|00 00 00 0F|"; within:8; distance:4; fast_pattern; content:"|00 00 00 00|"; within:4; distance:12; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:4; content:"|00 00|"; within:2; distance:6; byte_test:4,>,0x7fffffff,4,relative; metadata:service smtp; reference:cve,2015-5786; reference:url,support.apple.com/en-us/HT205046; reference:url,www.talosintel.com/vulnerability-reports; classtype:attempted-user; sid:35629; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime tkhd atom matrix integer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"trak"; content:"tkhd|00 00 00 0F|"; within:8; distance:4; fast_pattern; content:"|00 00 00 00|"; within:4; distance:12; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:4; content:"|00 00|"; within:2; distance:6; byte_test:4,>,0x7fffffff,4,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-5786; reference:url,support.apple.com/en-us/HT205046; reference:url,www.talosintel.com/vulnerability-reports; classtype:attempted-user; sid:35628; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime traf atom out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"moof"; byte_extract:4,-8,moof_size,relative; content:"traf"; within:moof_size; distance:-4; byte_test:4,>,moof_size,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2015-3668; reference:url,support.apple.com/en-us/HT204947; classtype:attempted-user; sid:35860; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime traf atom out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moof"; byte_extract:4,-8,moof_size,relative; content:"traf"; within:moof_size; distance:-4; byte_test:4,>,moof_size,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3668; reference:url,support.apple.com/en-us/HT204947; classtype:attempted-user; sid:35859; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA PLF playlist name buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.plf; content:"Content-Type:"; nocase; content:"application/octet-stream"; within:50; nocase; file_data; isdataat:256,relative; content:!"|20|"; depth:256; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,21337; reference:cve,2006-6199; classtype:attempted-user; sid:35939; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt"; flow:to_server,established; file_data; content:"ID3|03 00|"; depth:5; nocase; byte_test:1,&,0x80,14,relative; byte_test:4,>,0x2aaaaaaa,15,relative; pcre:"/ID3\x03\x00.{5}([TW][A-Z]{3}|COMM)/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,76289; reference:cve,2015-5560; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:36114; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt"; flow:to_client,established; file_data; content:"ID3|03 00|"; depth:5; nocase; byte_test:1,&,0x80,14,relative; byte_test:4,>,0x2aaaaaaa,15,relative; pcre:"/ID3\x03\x00.{5}([TW][A-Z]{3}|COMM)/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,76289; reference:cve,2015-5560; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-19.html; classtype:attempted-user; sid:36113; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pls; content:"Content-Type: audio/x-scpls|3B|"; fast_pattern:only; file_data; isdataat:1024; content:!"|0A|"; depth:1024; metadata:service smtp; reference:bugtraq,33589; reference:cve,2009-0476; reference:cve,2009-4656; reference:cve,2009-5109; classtype:attempted-user; sid:36456; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt"; flow:to_server,established; file_data; content:"|FB 00 00 00 E8 00 00 0B 4D 00 00 01 59 00 00 01 73 00 00 0A 93 00 00 01 69 00 00 01 66 00 00 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5580; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36513; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt"; flow:to_client,established; file_data; content:"|FB 00 00 00 E8 00 00 0B 4D 00 00 01 59 00 00 01 73 00 00 0A 93 00 00 01 69 00 00 01 66 00 00 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5580; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-23.html; classtype:attempted-user; sid:36512; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA libav LZO integer overflow attempt"; flow:to_server,established; flowbits:isset,file.mkv; file_data; content:"|1A 45 DF A3|"; depth:4; content:"|42 82 88|matroska"; fast_pattern:only; content:"|42 54|"; content:"|02|"; within:3; content:"|1F 43 B6 75|"; content:"|E7|"; within:10; content:"|A3|"; within:4; content:"|00 00 00 00|"; within:300; pcre:"/\x1F\x43\xB6\x75.{0,10}\xE7.{0,4}\xA3.{0,300}?\x00{200}/"; metadata:service smtp; reference:bugtraq,68217; reference:cve,2014-4609; classtype:attempted-user; sid:36565; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA libav LZO integer overflow attempt"; flow:to_client,established; flowbits:isset,file.mkv; file_data; content:"|1A 45 DF A3|"; depth:4; content:"|42 82 88|matroska"; fast_pattern:only; content:"|42 54|"; content:"|02|"; within:3; content:"|1F 43 B6 75|"; content:"|E7|"; within:10; content:"|A3|"; within:4; content:"|00 00 00 00|"; within:300; pcre:"/\x1F\x43\xB6\x75.{0,10}\xE7.{0,4}\xA3.{0,300}?\x00{200}/"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,68217; reference:cve,2014-4609; classtype:attempted-user; sid:36564; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX malformed mjpeg arbitrary code execution attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"|50 2E 00 00 10 27 00 00 00 00 00 00 00 00 00 00 40 01 F0 00|strf|28 00 00 00 28 00 00 00 40 00 00 00 F0 00 00 00 01 00 18 00|MJPG|00 84|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-033; classtype:attempted-user; sid:37153; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX malformed mjpeg arbitrary code execution attempt"; flow:to_server,established; file_data; content:"movi00db|98 10 00 00 0B 8E 44 3F 96 EF 0B C2 F0 BC 2F 0B C2 F0 BC 2F 0B C2 F0 BC|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-033; classtype:attempted-user; sid:37152; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX malformed mjpeg arbitrary code execution attempt"; flow:to_client,established; file_data; content:"movi00db|98 10 00 00 0B 8E 44 3F 96 EF 0B C2 F0 BC 2F 0B C2 F0 BC 2F 0B C2 F0 BC|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-033; classtype:attempted-user; sid:37151; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Matroska libmatroska track video double free attempt"; flow:to_server,established; file_data; content:"|1A 45 DF A3|"; depth:4; content:"|12 54 C3 67|"; content:"|73 73|"; distance:0; content:"|63 C0|"; within:2; distance:8; content:!"|01 00 00|"; within:3; isdataat:!127,relative; metadata:service smtp; reference:cve,2015-8790; reference:url,www.talosintelligence.com/reports/TALOS-2016-0036; classtype:attempted-user; sid:35778; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Matroska libmatroska track video double free attempt"; flow:to_client,established; file_data; content:"|1A 45 DF A3|"; depth:4; content:"|12 54 C3 67|"; content:"|73 73|"; distance:0; content:"|63 C0|"; within:2; distance:8; content:!"|01 00 00|"; within:3; isdataat:!127,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-8790; reference:url,www.talosintelligence.com/reports/TALOS-2016-0036; classtype:attempted-user; sid:35777; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Matroska libmatroska track video double free attempt"; flow:to_server,established; file_data; content:"|1A 45 DF A3|"; depth:4; content:"|18 53 80 67|"; content:"|18 53 80 67|"; distance:0; content:"|1C 53 BB 6B|"; distance:0; content:"|BB|"; within:150; content:"|B7|"; within:20; isdataat:!100,relative; byte_test:1,>,200,0,relative; metadata:service smtp; reference:cve,2015-8790; reference:url,www.talosintelligence.com/reports/TALOS-2016-0036; classtype:attempted-user; sid:35776; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Matroska libmatroska track video double free attempt"; flow:to_client,established; file_data; content:"|1A 45 DF A3|"; depth:4; content:"|18 53 80 67|"; content:"|18 53 80 67|"; distance:0; content:"|1C 53 BB 6B|"; distance:0; content:"|BB|"; within:150; content:"|B7|"; within:20; isdataat:!100,relative; byte_test:1,>,200,0,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-8790; reference:url,www.talosintelligence.com/reports/TALOS-2016-0036; classtype:attempted-user; sid:35775; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Matroska libmatroska track video double free attempt"; flow:to_server,established; file_data; content:"|1A 45 DF A3|"; depth:4; content:"|16 54 AE 6B|"; content:"|16 54 AE 6B|"; distance:0; content:"|AE 01 00 00|"; distance:0; content:"|E0|"; within:150; content:!"|01 00|"; within:2; isdataat:!127,relative; metadata:service smtp; reference:cve,2015-8790; reference:url,www.talosintelligence.com/reports/TALOS-2016-0036; classtype:attempted-user; sid:35774; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Matroska libmatroska track video double free attempt"; flow:to_client,established; file_data; content:"|1A 45 DF A3|"; depth:4; content:"|16 54 AE 6B|"; content:"|16 54 AE 6B|"; distance:0; content:"|AE 01 00 00|"; distance:0; content:"|E0|"; within:150; content:!"|01 00|"; within:2; isdataat:!127,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-8790; reference:url,www.talosintelligence.com/reports/TALOS-2016-0036; classtype:attempted-user; sid:35773; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Matroska libmatroska ebml unicode string out of bounds read attempt"; flow:to_server,established; file_data; content:"|6E 67 1F 43 B6 75 01 00 00 00 00 00 01 85 E7 81 00 A3 40 83 81 00 00 80 00 00 01 B3 00 10 07 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8789; reference:url,www.talosintelligence.com/reports/TALOS-2016-0037; classtype:attempted-user; sid:35726; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Matroska libmatroska ebml unicode string out of bounds read attempt"; flow:to_client,established; file_data; content:"|6E 67 1F 43 B6 75 01 00 00 00 00 00 01 85 E7 81 00 A3 40 83 81 00 00 80 00 00 01 B3 00 10 07 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8789; reference:url,www.talosintelligence.com/reports/TALOS-2016-0037; classtype:attempted-user; sid:35725; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"P|00|r|00|o|00|d|00|u|00|c|00|e|00|r|00|.|00|d|00|a|00|t|00 00 00|"; fast_pattern; nocase; byte_extract:4,94,low,relative,little; content:"W|00|m|00|t|00|o|00|o|00|l|00|s|00|V|00|a|00|l|00|i|00|d|00 00 00|"; distance:0; nocase; byte_test:4,>,low,94,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2010-0265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-016; classtype:attempted-user; sid:37663; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple iTunes PLS file parsing buffer overflow attempt"; flow:to_server,established; file_data; content:"[playlist]"; nocase; content:"File"; distance:0; nocase; pcre:"/^File\d+\s*\x3D\s*[^\x2E\r\n]+\x2E[^\r\n]{32}/mi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,36478; reference:cve,2009-2817; classtype:attempted-user; sid:37959; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_server,established; file_data; content:"|97 41 8F FA 5F F2 57 F4 2B FA A5 D0 DB BB 4E 74 EF 9C FE 09 48 95 B2 0D 6B 82 C4 20 B4 50 71 A1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:37940; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_client,established; file_data; content:"|97 41 8F FA 5F F2 57 F4 2B FA A5 D0 DB BB 4E 74 EF 9C FE 09 48 95 B2 0D 6B 82 C4 20 B4 50 71 A1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:37939; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.swf; content:"|00 A2 01|minValue|00|"; fast_pattern; content:"|A2 01|maxValue|00|"; within:11; distance:4; content:"defaultValue|00|"; within:100; content:!"|A2 01|"; within:2; distance:-15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:37938; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash pixel bender buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|00 A2 01|minValue|00|"; fast_pattern; content:"|A2 01|maxValue|00|"; within:11; distance:4; content:"defaultValue|00|"; within:100; content:!"|A2 01|"; within:2; distance:-15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67092; reference:cve,2014-0515; classtype:attempted-user; sid:37937; rev:2;)
# alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt"; flow:to_server,established; file_data; content:"|55 45 49 02 EC 81 F0 00 03 EC 8A F0 06 0A 04 65 6E 67 00 03 EC 8C F0 06 0A 04 64 75 74 00 03 EC|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-027; classtype:attempted-user; sid:38125; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt"; flow:to_client,established; file_data; content:"|55 45 49 02 EC 81 F0 00 03 EC 8A F0 06 0A 04 65 6E 67 00 03 EC 8C F0 06 0A 04 64 75 74 00 03 EC|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-027; classtype:attempted-user; sid:38124; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed MP4 atom use-after-free attempt"; flow:to_server,established; flowbits:isset,file.mp4; file_data; content:"|2D AE 2F 27 B8 C5 76 35 87 75 0F 87 48 EF 3E 1E 01 9A 8D 37 EF 58 6A DE 48 13 CB 4A 12 BC CA 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8655; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38218; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed mp4 atom use-after-free attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"|2D AE 2F 27 B8 C5 76 35 87 75 0F 87 48 EF 3E 1E 01 9A 8D 37 EF 58 6A DE 48 13 CB 4A 12 BC CA 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8655; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38217; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed mp4 out of bounds write attempt"; flow:to_server,established; file_data; content:"|08 BF AB 6A 60 6F EA DA 98 1B E8 DA 98 1B E8 DA 98 18 1B E8 C0 C0 C0 C0 DA 98 18 18 1B E5 F2 F9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8658; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38210; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed mp4 out of bounds write attempt"; flow:to_client,established; file_data; content:"|08 BF AB 6A 60 6F EA DA 98 1B E8 DA 98 1B E8 DA 98 18 1B E8 C0 C0 C0 C0 DA 98 18 18 1B E5 F2 F9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8658; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-user; sid:38209; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 length tag out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.mp4; file_data; content:"stsd|00|"; byte_jump:4,-9,relative,post_offset -4; byte_test:4,>,15000000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-8652; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:38202; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 length tag out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"stsd|00|"; byte_jump:4,-9,relative,post_offset -4; byte_test:4,>,15000000,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-8652; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-32.html; classtype:attempted-user; sid:38201; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt"; flow:to_server,established; file_data; content:"|4C 90 64 DC 09 76 21 76 AD 01 46 E8 35 2D D9 58 AA E5 15 71 A7 11 F8 F5 73 81 02 BB 6D 13 91 A6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7089; reference:url,www.talosintel.com/reports/TALOS-CAN-0021; classtype:attempted-user; sid:35718; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt"; flow:to_client,established; file_data; content:"|4C 90 64 DC 09 76 21 76 AD 01 46 E8 35 2D D9 58 AA E5 15 71 A7 11 F8 F5 73 81 02 BB 6D 13 91 A6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7089; reference:url,www.talosintel.com/reports/TALOS-CAN-0021; classtype:attempted-user; sid:35717; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt"; flow:to_server,established; file_data; content:"|8A 73 73 CC 33 83 9A 14 A1 F0 C9 10 62 00 89 78 EF 03 80 08 B8 2C 67 CF BB 05 16 03 C0 29 C1 9B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7088; reference:url,www.talosintel.com/reports/TALOS-CAN-0020; classtype:attempted-user; sid:35716; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt"; flow:to_client,established; file_data; content:"|8A 73 73 CC 33 83 9A 14 A1 F0 C9 10 62 00 89 78 EF 03 80 08 B8 2C 67 CF BB 05 16 03 C0 29 C1 9B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7088; reference:url,www.talosintel.com/reports/TALOS-CAN-0020; classtype:attempted-user; sid:35715; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"dinf"; distance:0; content:"dref"; within:4; distance:4; fast_pattern; byte_test:4,>,0,4,relative; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7090; reference:url,www.talosintel.com/reports/TALOS-CAN-0023; classtype:attempted-user; sid:35714; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"dinf"; distance:0; content:"dref"; within:4; distance:4; fast_pattern; byte_test:4,>,0,4,relative; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7090; reference:url,www.talosintel.com/reports/TALOS-CAN-0023; classtype:attempted-user; sid:35713; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"dinf"; distance:0; content:"dref"; within:4; distance:4; content:"alis"; within:500; byte_test:2,>=,0x9c,2,relative; byte_test:4,<,0x9c,-8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7117; reference:url,www.talosintel.com/reports/TALOS-CAN-0022; classtype:attempted-user; sid:35712; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"dinf"; distance:0; content:"dref"; within:4; distance:4; content:"alis"; within:500; byte_test:2,>=,0x9c,2,relative; byte_test:4,<,0x9c,-8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7117; reference:url,www.talosintel.com/reports/TALOS-CAN-0022; classtype:attempted-user; sid:35711; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"stsd"; distance:0; content:"|00 00 00|"; within:3; distance:1; content:"samr"; within:500; byte_test:4,>=,0x2c,-8,relative; byte_test:4,<=,0x34,-8,relative; content:"damr"; within:4; distance:32; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7087; reference:url,www.talosintel.com/reports/TALOS-CAN-0019; classtype:attempted-user; sid:35627; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"stsd"; distance:0; content:"|00 00 00|"; within:3; distance:1; content:"samr"; within:500; byte_test:4,>=,0x25,-8,relative; byte_test:4,<=,0x2b,-8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-7087; reference:url,www.talosintel.com/reports/TALOS-CAN-0019; classtype:attempted-user; sid:35626; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"stsd"; distance:0; content:"|00 00 00|"; within:3; distance:1; content:"samr"; within:500; byte_test:4,>=,0x2c,-8,relative; byte_test:4,<=,0x34,-8,relative; content:"damr"; within:4; distance:32; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7087; reference:url,www.talosintel.com/reports/TALOS-CAN-0019; classtype:attempted-user; sid:35625; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"stsd"; distance:0; content:"|00 00 00|"; within:3; distance:1; content:"samr"; within:500; byte_test:4,>=,0x25,-8,relative; byte_test:4,<=,0x2b,-8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-7087; reference:url,www.talosintel.com/reports/TALOS-CAN-0019; classtype:attempted-user; sid:35624; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 stsz atom memory corruption attempt"; flow:to_server,established; flowbits:isset,file.mp4; file_data; content:"|5F AF 00 00 5A 00 00 00 5E 00 00 00 87 00 00 00 62 00 00 00 67 00 00 00 7C 00 00 00 47 00 00 00 C2 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2926; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41343; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 stsz atom memory corruption attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"|5F AF 00 00 5A 00 00 00 5E 00 00 00 87 00 00 00 62 00 00 00 67 00 00 00 7C 00 00 00 47 00 00 00 C2 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2926; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:41342; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Chrome Pepper Flash Player SampleCount heap overflow attempt"; flow:to_server,established; flowbits:isset,file.mp4; file_data; content:"|78 21 68 A2 1F 06 01 02 00 00 00 00 00 00 06 A0 73 74 74 73 00 00 00 00 00 00 00 D2 00 00 00 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2992; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; classtype:attempted-user; sid:41746; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Chrome Pepper Flash Player SampleCount heap overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"|78 21 68 A2 1F 06 01 02 00 00 00 00 00 00 06 A0 73 74 74 73 00 00 00 00 00 00 00 D2 00 00 00 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2992; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-04.html; classtype:attempted-user; sid:41745; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple OSX SceneKit invalid COLLADA file geometry attribute type confusion attempt"; flow:to_server,established; file_data; content:"<COLLADA"; nocase; content:"<instance_geometry"; fast_pattern:only; content:"<light"; nocase; pcre:"/<light\s[^>]*?id\s*=\s*[\x22\x27](?P<id>[\w-]+)[\x22\x27].*?<instance_geometry\s[^>]*?url\s*=\s*[\x22\x27]\x23(?P=id)[\x22\x27]/siO"; metadata:service smtp; reference:cve,2016-1850; reference:url,www.talosintelligence.com/reports/TALOS-2016-0183; classtype:attempted-user; sid:39598; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple OSX SceneKit invalid COLLADA file geometry attribute type confusion attempt"; flow:to_client,established; file_data; content:"<COLLADA"; nocase; content:"<instance_geometry"; fast_pattern:only; content:"<light"; nocase; pcre:"/<light\s[^>]*?id\s*=\s*[\x22\x27](?P<id>[\w-]+)[\x22\x27].*?<instance_geometry\s[^>]*?url\s*=\s*[\x22\x27]\x23(?P=id)[\x22\x27]/siO"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-1850; reference:url,www.talosintelligence.com/reports/TALOS-2016-0183; classtype:attempted-user; sid:39597; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player JPG header record mismatch memory corruption attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"LIST"; content:"strl"; within:4; distance:4; content:"strf"; distance:0; content:"MJPG"; within:4; distance:20; content:"LIST"; distance:0; content:"movi"; within:4; distance:4; content:"|FF C0|"; distance:0; content:"|00 01|"; within:2; distance:5; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,40464; reference:cve,2010-1880; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:43336; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player JPG header record mismatch memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"LIST"; content:"strl"; within:4; distance:4; content:"strf"; distance:0; content:"MJPG"; within:4; distance:20; content:"LIST"; distance:0; content:"movi"; within:4; distance:4; content:"|FF C0|"; distance:0; content:"|00 01|"; within:2; distance:5; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40464; reference:cve,2010-1880; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:43335; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"JUNK"; byte_test:4,>,0x7FFFFFF7,0,little,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-3895; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:43270; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt"; flow:to_server,established; flowbits:isset,file.avi.video; file_data; content:"LIST"; byte_test:4,>,0x7FFFFFF7,0,little,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-3895; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-064; classtype:attempted-user; sid:43269; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BITBLT record out of bounds access attempt"; flow:to_server,established; file_data; content:"|E9 00 00 00 42 00 00 00 00 00 00 00 00 00 00 00 EA 00 00 00 43 00 00 00 29 00 AA 00 00 00 00 00 00 00 00 00 00 00 80 3F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11233; reference:cve,2018-15939; reference:cve,2018-15942; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43889; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BITBLT record out of bounds access attempt"; flow:to_client,established; file_data; content:"|E9 00 00 00 42 00 00 00 00 00 00 00 00 00 00 00 EA 00 00 00 43 00 00 00 29 00 AA 00 00 00 00 00 00 00 00 00 00 00 80 3F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11233; reference:cve,2018-15939; reference:cve,2018-15942; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43888; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIER16 out of bounds access attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|58 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 03 00 00 00 FC 01 D6 01 FA 01 D3 01 F7 01 D1 01|"; metadata:service smtp; reference:cve,2017-3122; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43971; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIER16 out of bounds access attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|58 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 03 00 00 00 FC 01 D6 01 FA 01 D3 01 F7 01 D1 01|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3122; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43970; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|E8 0C 00 00 58 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 03 00 00 00 4C 00 E8 0C 48 00 E5 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11238; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43968; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|E8 0C 00 00 58 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 03 00 00 00 4C 00 E8 0C 48 00 E5 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11238; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43967; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt"; flow:to_server,established; file_data; content:"|46 00 00 00 44 02 00 00 38 02 00 00|EMF+|2A 40 00 00 24 00 00 00 18 00 00 00 00 00 80 3F 00 00 00 80 00 00 00 80 00 00 80 3F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11227; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43941; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt"; flow:to_client,established; file_data; content:"|46 00 00 00 44 02 00 00 38 02 00 00|EMF+|2A 40 00 00 24 00 00 00 18 00 00 00 00 00 80 3F 00 00 00 80 00 00 00 80 00 00 80 3F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11227; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43940; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt"; flow:to_server,established; file_data; content:"|27 00 00 00 18 00 00 00 02 00 00 00 00 00 00 00 F9 EE C2 00 00 00 00 00 25 00 00 00 0C 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11232; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44000; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt"; flow:to_client,established; file_data; content:"|27 00 00 00 18 00 00 00 02 00 00 00 00 00 00 00 F9 EE C2 00 00 00 00 00 25 00 00 00 0C 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11232; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43999; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00 50 00 00 00 44 00 00 00 45 4D 46 2B 08 40 16 02 40 00 00 00 34 00 00 00 02 10 C0 DB|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-11245; reference:cve,2018-15946; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44056; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|46 00 00 00 50 00 00 00 44 00 00 00 45 4D 46 2B 08 40 16 02 40 00 00 00 34 00 00 00 02 10 C0 DB|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11245; reference:cve,2018-15946; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44055; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt"; flow:to_server,established; file_data; content:"|13 00 00 00 00 00 00 00 00 00 00 00 FF FF FF 00 C8 D0 D4 00 80 80 80 00 40 40 40 00 BD C4 C8 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11269; reference:cve,2017-11270; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44100; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt"; flow:to_client,established; file_data; content:"|13 00 00 00 00 00 00 00 00 00 00 00 FF FF FF 00 C8 D0 D4 00 80 80 80 00 40 40 40 00 BD C4 C8 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11269; reference:cve,2017-11270; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44099; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; fast_pattern; content:"|50 00 00 00|"; within:4; distance:44; content:"|28 00 00 00|"; within:4; distance:28; byte_test:4,>=,0x400000,28,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11271; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44095; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.emf; file_data; content:"|51 00 00 00|"; fast_pattern; content:"|50 00 00 00|"; within:4; distance:44; content:"|28 00 00 00|"; within:4; distance:28; byte_test:4,>=,0x400000,28,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11271; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44094; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA multiple audio players playlist file handling heap overflow attempt"; flow:to_server,established; flowbits:isset,file.m3u|file.pls; file_data; content:"http|3A 2F 2F|"; isdataat:262,relative; content:!"|0A|"; within:262; content:!" "; within:259; distance:3; metadata:service smtp; reference:bugtraq,46926; reference:bugtraq,62926; reference:cve,2009-2650; reference:cve,2013-7409; reference:url,exploit-db.com/exploits/36022/; classtype:attempted-user; sid:44194; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"P|00|r|00|o|00|d|00|u|00|c|00|e|00|r|00|.|00|d|00|a|00|t|00 00 00|"; fast_pattern; nocase; content:"|1A 00 02 01 FF FF|"; distance:0; content:"|04 00 00 00 4E 11 00 00 00 00 00 00 01 00 00 00 02 00 00 00 FE FF FF FF 04 00 00 00 FE FF FF|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2010-0265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-016; classtype:attempted-user; sid:45554; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"P|00|r|00|o|00|d|00|u|00|c|00|e|00|r|00|.|00|d|00|a|00|t|00 00 00|"; fast_pattern; nocase; content:"|1A 00 02 01 FF FF|"; distance:0; content:"|04 00 00 00 4E 11 00 00 00 00 00 00 01 00 00 00 02 00 00 00 FE FF FF FF 04 00 00 00 FE FF FF|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-016; classtype:attempted-user; sid:45553; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt"; flow:to_server,established; file_data; content:"MThd"; depth:4; content:"|00 00 00 00 00 00|"; within:6; distance:4; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,21612; reference:cve,2006-6601; reference:cve,2007-0562; classtype:denial-of-service; sid:45586; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt"; flow:to_server,established; flowbits:isset,file.quicktime; file_data; content:"meta"; byte_extract:4,-8,meta_size,relative,big; content:"keys|00|"; within:meta_size; byte_test:4,>,0x1ffffffe,3,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,94196; reference:cve,2016-5199; reference:url,ffmpeg.org/pipermail/ffmpeg-cvslog/2016-September/101971.html; classtype:attempted-user; sid:46481; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"meta"; byte_extract:4,-8,meta_size,relative,big; content:"keys|00|"; within:meta_size; byte_test:4,>,0x1ffffffe,3,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,94196; reference:cve,2016-5199; reference:url,ffmpeg.org/pipermail/ffmpeg-cvslog/2016-September/101971.html; classtype:attempted-user; sid:46480; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt"; flow:to_client,established; file_data; content:".abc"; fast_pattern:only; content:"X:"; content:"|0D 0A|T:"; distance:0; content:"|0D 0A|P:"; distance:0; content:"("; within:10; content:"("; within:10; pcre:"/^P:[^\x0d]*?\x28[A-Z]\x29\d{5}/mi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-4233; classtype:attempted-user; sid:46916; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt"; flow:to_server,established; file_data; content:".abc"; fast_pattern:only; content:"X:"; content:"|0D 0A|T:"; distance:0; content:"|0D 0A|P:"; distance:0; content:"("; within:10; content:"("; within:10; pcre:"/^P:[^\x0d]*?\x28[A-Z]\x29\d{5}/mi"; metadata:service smtp; reference:cve,2013-4233; classtype:attempted-user; sid:46915; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; byte_test:1,>,0xBF,0,relative; byte_test:1,<,0xF0,0,relative; byte_test:2,<=,0x0004,1,relative; content:"|FF FF FF FF FF|"; within:5; distance:3; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-0659; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:47033; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; byte_test:1,>,0xBF,0,relative; byte_test:1,<,0xF0,0,relative; byte_test:2,<=,0x0004,1,relative; content:"|FF FF FF FF FF|"; within:5; distance:3; metadata:service smtp; reference:cve,2012-0659; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:47032; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt"; flow:to_server,established; file_data; content:"|05 76 6F 72 62 69 73 00 42 43 56 60 00 20 00 00 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5146; classtype:attempted-user; sid:48106; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt"; flow:to_client,established; file_data; content:"|05 76 6F 72 62 69 73 00 42 43 56 60 00 20 00 00 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5146; classtype:attempted-user; sid:48105; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|61 76 63 43 01 64 00 A9 F7 E1 00 1E 67 64 00 00 AA 2D C3 8D 01 80 C0 97 03 0E 02 02 FF FF DF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12827; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-25.html; classtype:attempted-user; sid:47534; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|61 76 63 43 01 64 00 A9 F7 E1 00 1E 67 64 00 00 AA 2D C3 8D 01 80 C0 97 03 0E 02 02 FF FF DF FF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12827; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-25.html; classtype:attempted-user; sid:47533; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt"; flow:to_client,established; file_data; content:"COMM|00 00 00 0F 00 80 00 00 00 08 78 9C 63 74 84 00 00 07 2C 01 C9 FF FB 90 64 00 00 02|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12824; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-25.html; classtype:attempted-user; sid:47530; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt"; flow:to_server,established; file_data; content:"COMM|00 00 00 0F 00 80 00 00 00 08 78 9C 63 74 84 00 00 07 2C 01 C9 FF FB 90 64 00 00 02|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12824; reference:url,helpx.adobe.com/security/products/flash-player/APSB18-25.html; classtype:attempted-user; sid:47529; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt"; flow:to_server,established; flowbits:isset,file.avi; file_data; content:"strlstrh"; fast_pattern; nocase; byte_jump:4,0,relative,little; content:!"strf"; within:4; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,46047; reference:cve,2010-4393; classtype:attempted-user; sid:49404; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt"; flow:to_client,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; depth:3; content:!"|B3|"; within:1; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,50741; reference:cve,2011-4259; reference:url,osvdb.org/show/osvdb/77280; classtype:attempted-user; sid:49574; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt"; flow:to_server,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01|"; depth:3; content:!"|B3|"; within:1; metadata:service smtp; reference:bugtraq,50741; reference:cve,2011-4259; reference:url,osvdb.org/show/osvdb/77280; classtype:attempted-user; sid:49573; rev:1;)