snort2-docker/docker/etc/rules/file-pdf.rules
2020-02-24 08:56:30 -05:00

1437 lines
803 KiB
Plaintext

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#----------------
# FILE-PDF RULES
#----------------
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-PDF Microsoft Edge PDF Builder out of bounds read attempt"; flow:to_server,established; file_data; content:"|34 1A 8D 29 34 41 CE 48 24 48 FE 1F C1 5B B7 1D 89 C6 FA E2 FD 2D 09 85 A0 9D 32 DE 17 8B 46 5A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-009; classtype:attempted-user; sid:41602; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Microsoft Edge PDF Builder out of bounds read attempt"; flow:to_client,established; file_data; content:"|34 1A 8D 29 34 41 CE 48 24 48 FE 1F C1 5B B7 1D 89 C6 FA E2 FD 2D 09 85 A0 9D 32 DE 17 8B 46 5A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-009; classtype:attempted-user; sid:41601; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader/Acrobat Pro CFF font parsing heap overflow attempt"; flow:to_client,established; file_data; content:"6SC.Pseudo.Font.1|00 00 01 01 87|T|01 01 FF|T|00|V|02 00 01|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-1241; classtype:attempted-user; sid:16546; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Possible Adobe Acrobat Reader ActionScript byte_array heap spray attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"ByteArray"; nocase; content:"|04 0C 0C 0C 0C|"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,35759; reference:cve,2009-1862; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:attempted-user; sid:15728; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader CoolType.dll remote memory corruption denial of service attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|78 9C C5 97 4D 4B C4 30 10 86 EF 85 FE 87 39 26 87 CD 26 33|"; fast_pattern:only; content:"|AC 6D EE D5 DD 46 CF 88 D4 87 76 9D 7A D7 B3 A0 40 63 A7 6E F4 2C AA 27 8D A4 5E 35 59 B5 9B E3|"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,41130; reference:cve,2010-2204; classtype:attempted-dos; sid:16801; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JPEG2k uninitialized QCC memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|12 12 E0 0F 12 12 E0 0F 12 12 FF|]|00 16|LL"; content:"setTimeout|28 22|doSpray|28 29 22|,2500|29 3B|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2995; classtype:attempted-user; sid:16323; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader U3D progressive mesh continuation pointer overwrite attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<|FF FF FF C5 00 00 00 00 00 00 00 05 00|Box01|00 00 00 00 00 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01|k|01 00 00|k|01 00 00 D5 02 00 00 BF 85|]K|00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2998; classtype:attempted-user; sid:16173; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader U3D line set heap corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"7|FF FF FF|h|00 00 00 00 00 00 00 06 00|Box_92|00 00 00 00 00 00 00 00 04 05 00 00| |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|AAAA"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2997; classtype:attempted-user; sid:16172; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader collab.addStateModel remote corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Collab.addStateModel"; nocase; content:"cname"; nocase; content:"00"; within:15; distance:2; nocase; pcre:"/Collab\x2EaddStateModel\s*\x28\s*\x7B.*cName\s*\x3A\s*\x22(\x22|\x5Cx00)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2996; classtype:attempted-user; sid:16176; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader collab.removeStateModel denial of service attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|5C|x00|5C|x00|5C|x00|5C|x00"; nocase; content:"Collab.removeStateModel"; nocase; pcre:"/var\s*(\w+)\s*\x3D\s*\x22\x5Cx00\x5Cx00\x5Cx00\x5Cx00.*\x22.*Collab\x2EremoveStateModel\s*\x28\s*\1.*\x29/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2988; classtype:attempted-user; sid:16175; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader U3D progressive mesh continuation off by one index attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<|FF FF FF C5 00 00 00 00 00 00 00 05 00|Box01|00 00 00 00 00 00 00 00 08 00 00 00|ABCD"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-3458; classtype:attempted-user; sid:16174; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF pdf file sent via email"; flow:to_server,established; content:"JVBERi0x"; flowbits:set,email.pdf; flowbits:noalert; metadata:service smtp; classtype:policy-violation; sid:15361; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader start-of-file alternate header obfuscation"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%!PS-Adobe-"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/devnet/acrobat/pdfs/pdf_reference_1-7.pdf; classtype:misc-activity; sid:16354; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader alternate file magic obfuscation"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%COS-0.2"; depth:1032; content:"PDF-"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.adobe.com/devnet/acrobat/pdfs/pdf_reference_1-7.pdf; classtype:misc-activity; sid:16390; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"obj"; nocase; content:"<<"; within:4; content:"/Launch"; within:100; fast_pattern; content:"/F"; pcre:"/\/F[^\/>]+\.(exe|dll|swf)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:16523; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF PDF file with embedded PDF object"; flow:to_client,established; file_data; content:"EmbeddedFile"; nocase; content:"3C7064663E"; distance:0; nocase; content:"3C2F7064663E"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18684; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/Mac"; fast_pattern; nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fMac\s*\x28/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:19648; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/Unix"; fast_pattern; nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fUnix\s*\x28/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:19647; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/DOS"; fast_pattern; nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fDOS\s*\x28/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:19646; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF attempted download of a PDF with embedded PICT image"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"PICT"; fast_pattern:only; content:"stream"; nocase; pcre:"/^[^\x0A]*?.{88}PICT/mR"; metadata:service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:20146; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF attempted download of a PDF with embedded PCX image"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream"; nocase; pcre:"/^[^\x0A]*?\x0A[\x00\x02\x03\x05][\x00\x01][\x01\x04\x08\x24].{60}\x00.{5}\x00{58}/mR"; metadata:service ftp-data, service http, service imap, service pop3; classtype:policy-violation; sid:20151; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader doc.export arbitrary file write attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".export"; nocase; pcre:"/\x2eexport(AsFDF|AsText|AsXFDF|DataObject|XFAData)\x28[^\x2c\x29]*\x2c[^\x2c\x29]*\x2c[^\x29]+\x2eexe/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2993; classtype:attempted-user; sid:16324; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded BMP colors used integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream"; nocase; content:"BM"; within:20; content:"|00 00 00 00|"; within:4; distance:4; content:"|28 00 00 00|"; within:4; distance:4; byte_test:4,>,0x1FFFFFFF,28,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-4373; reference:url,www.adobe.com/support/security/bulletins/apsb12-01.html; classtype:attempted-user; sid:20921; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded BMP bit count integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream"; nocase; content:"BM"; within:20; content:"|00 00 00 00|"; within:4; distance:4; content:"|28 00 00 00|"; within:4; distance:4; pcre:"/^.{10}([^\x01\x04\x08\x0F\x10\x18\x20].|.[^\x00]).{16}\x00\x00\x00\x00/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-4373; reference:url,www.adobe.com/support/security/bulletins/apsb12-01.html; classtype:attempted-user; sid:20922; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded BMP bit count integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream"; nocase; content:"BM"; within:20; content:"|00 00 00 00|"; within:4; distance:4; content:"|0C 00 00 00|"; within:4; distance:4; pcre:"/^.{6}([^\x01\x04\x08\x0F\x10\x18\x20].|.[^\x00])/R"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-4373; reference:url,www.adobe.com/support/security/bulletins/apsb12-01.html; classtype:attempted-user; sid:20923; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader PDF subroutine pointer attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|90 90 90 E8 00 00 00 00 5B 90 66 C7 03 EB FE|"; fast_pattern:only; content:"RICN"; content:"AR07"; within:6; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2006-5857; classtype:attempted-user; sid:21765; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Plugin Universal cross-site scripting attempt"; flow:to_client,established; file_data; content:".pdf|23|"; fast_pattern:only; pcre:"/\x2Epdf\x23[^\r\n]+\x3Djavascript\x3A/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-0045; reference:url,isc.sans.org/diary.php?storyid=1999; classtype:misc-attack; sid:9842; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JPX malformed code-block width memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"JPXDecode|0A 3E 3E 0A|stream"; fast_pattern:only; content:"|6A 50 20 20|"; content:"|FF 4F FF 51|"; distance:0; byte_jump:2,36,relative,multiplier 3,big; content:"|FF 52 00 0C|"; within:4; byte_test:1,>,16,5,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,35274; reference:bugtraq,35289; reference:bugtraq,35295; reference:cve,2009-1859; reference:cve,2009-1861; reference:url,www.adobe.com/support/security/bulletins/apsb09-07.html; classtype:attempted-user; sid:15562; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Xpdf Splash DrawImage integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Subtype"; content:"/Image"; within:20; content:"/FlateDecode"; pcre:"/\x3C{2}(?=[^\x3E]*\x2F(Height|Width)\s*\d{6})(?=[^\x3E]*\x2FFlateDecode)[^\x3E]*\x2FSubtype\s*\x2FImage/"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36703; reference:cve,2009-3604; classtype:attempted-user; sid:16355; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader shell metacharacter code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"begin|20|"; depth:6; pcre:"/^begin\s\d+?\s[^\x20\x0d\x0a]*?\x60[^\x20\x0d\x0a]*?\x60/m"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,10931; reference:cve,2004-0630; classtype:attempted-user; sid:18527; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malicious language.engtesselate.ln file download attempt"; flow:to_client,established; flowbits:isset,file.engtesselate; file_data; content:"2="; isdataat:255,relative; content:!"|0A|"; within:255; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2095; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19253; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader CIDFont dictionary glyph width corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|2F|Subtype|20 2F|CIDFontType2"; content:"|2F|W|20 5B|0|20 5B|778|20|0|5D 20|2|20|3|20|250|20|4|20 5B|333|20|408|5D|"; distance:0; content:"|5B|556|20|722|20|667|20|556|20|611|5D|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2105; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19251; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader javascript in PDF go-to actions exploit attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/S /GoToR"; content:"/F |28|javascript:"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2101; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19254; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader sandbox disable attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|B6 84 05 8D 81 80 08 FF E3 A1 87 05 EA 88 A8 83 05 DE 8B B6 04 EA 80 80 08 D6 8B B6 04 99 D0 81 D0 06 EA 80 08 EA 80 A8 03 81 8A B6 04 D0 80 80|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1353; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20162; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded IFF file RGBA chunk memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Subtype|2F|image"; nocase; content:"iff"; within:7; content:"TBHD"; distance:0; byte_extract:4,0,tbhd_width,relative; content:"RGBA"; distance:0; byte_test:2,>,tbhd_width,2,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2436; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20149; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat embedded TIFF DotRange structure memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Subtype|2F|image"; nocase; content:"tiff"; within:7; content:"II|2A 00|"; within:250; content:"|50 01|"; distance:0; byte_test:2,<,14,0,relative,little; byte_test:2,>,8,2,relative,little; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2432; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20144; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader getCosObj file overwrite attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".write|28|"; nocase; content:".getCosObj|28|"; distance:0; nocase; pcre:"/([A-Z\d_]+)\.write\x28.*?\1\.getCosObj\x28/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2442; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20156; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader field flags exploit attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Ff "; byte_test:10,!&,0x80000000,0,string,relative; byte_test:10,&,0x00100000,0,string,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0589; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18419; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat XML entity escape attempt"; flow:to_client,established; file_data; content:"<|21|ENTITY"; nocase; content:"SYSTEM"; within:50; nocase; content:"http|3A 2F 2F|"; within:50; nocase; content:"http|3A 2F 2F|"; within:500; nocase; pcre:"/<\x21ENTITY[^>]+SYSTEM[^>]+http\x3A\x2F\x2F[^>\s]+http\x3A\x2F\x2F/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0604; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18456; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader oversized object width attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/width"; nocase; byte_test:7,>,1000000,1,relative,string; content:"/DCTDecode"; distance:0; nocase; pcre:"/\x2fwidth[^\x3e]+\x2fDCTDecode/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2980; classtype:attempted-user; sid:16322; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader U3D CLODMeshContinuation code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"U3D|00|"; content:"1|FF FF FF|"; distance:0; byte_jump:2,8,relative,little; byte_test:4,<,16777216,12,relative,little; content:"<|FF FF FF|"; distance:0; byte_jump:2,8,relative,little; byte_test:4,>,16777215,12,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,36665; reference:cve,2009-2990; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; classtype:attempted-user; sid:16373; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Foxit Reader title overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Title"; nocase; pcre:"/^\s*(\x28[^\x29]{538}|\x3c[^\x3e]{538})/Rs"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,43785; classtype:attempted-user; sid:20445; rev:12;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader U3D CLODMeshDeceleration code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"U3D|00|"; content:"|31 FF FF FF|"; distance:0; byte_jump:2,8,relative,little; byte_test:4,>,200,12,relative,little; content:"|3C FF FF FF|"; distance:0; byte_jump:2,8,relative,little; byte_test:4,<,200,12,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37758; reference:bugtraq,67368; reference:cve,2009-3953; reference:cve,2014-0523; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; classtype:attempted-user; sid:20429; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader javascript submitform memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"submitForm"; fast_pattern:only; pcre:"/submitForm\s*\x28[^\x3b]+cURL\s*\x3a\s*[\x22\x27]\s*url\s*\x3a\s*(?!https?)[^\x27\x22\x23]*?\x23/ims"; isdataat:50; content:!"bGet"; within:50; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-4371; reference:url,www.adobe.com/support/security/bulletins/apsb12-01.html; classtype:attempted-user; sid:20998; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Foxit Reader malicious pdf file write access"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"createDataObject"; fast_pattern:only; pcre:"/createDataObject\(\s*?[\x22\x27][cdef]\x3A[\x2F\x5C]/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit-pdf.html; classtype:attempted-user; sid:21095; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat file extension overflow attempt"; flow:to_client,established; content:"Content|2D|Type|3A|"; nocase; http_header; content:"application|2F|pdf"; within:30; fast_pattern; nocase; http_header; file_data; pcre:"/filename\x3d[^\r\n]*\x2e[^\x3b\x3f\x2e\x22\x27\r\n]{18,}[\x22\x27]/Hsmi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,10696; reference:cve,2004-0632; classtype:attempted-user; sid:21162; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Foxit Reader createDataObject file write attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"createDataObject"; nocase; pcre:"/^\s*\x5C?\x28\s*[\x22\x27][a-z]\x3A[\x2F\x5C]/iR"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit-pdf.html; classtype:attempted-user; sid:21254; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat JavaScript getIcon method buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|55 1E 42 91 74 A1 4A FA 21 C7 DB 53 14 DE DE 9E A4 6A CD ED 29 C7 4E DE 9E BC ED 49 B3 35 11 D6|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:17471; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat JavaScript getIcon method buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|B3 2E 86 F7 BA C8 F4 4A 2B C7 AB 99 E8 6B 72 99 39 40 C7 59 B1 2E C9 D1 AE 0C 6E 39 A8 E5 DC 60|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:17472; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed U3D texture continuation integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|5C FF FF FF 0C 00 00 00 00 00 00 00 08 00 54 65 78 74 75|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2096; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19248; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat and Adobe Acrobat Reader U3D file include overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"CDF1048AB8979121691236CBF4378433"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2094; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19250; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader ICC ProfileDescriptionTag overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|CE 00 07 00 09 00 12 00 04 00 33 64 65 73 63 00 00 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2097; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19255; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat GDI object leak memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"f = getAnnotRichMedia|28|"; nocase; content:"f = getAnnotRichMedia|28|"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2439; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20152; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded BMP parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|0E 00 00 C4 0E 00 00 00 40 00 00 00 00 00 00 58 58 58 58 58|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2438; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20169; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader app.openDoc path vulnerability"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|42 23 5E 24 C2 C4 4C 62 36 B1 98 F8 3D B1 9A D8 40 6C 21 BA 88 DD C4 61 E2 18 71 8A F8 92 F8 8E|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2431; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20142; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat embedded JPEG file APP0 chunk memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|FF E0 00 10 4A 46 49 46 00 01 02 01 00 48 00 48 00 00|"; content:"|D8 02 28 FF E1 FF E2 02 F9 02 46 03 47 05|"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2440; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20153; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded PICT parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"PICT"; content:"|00 02 10 80 CC CC 58 58 58 58|"; within:10; distance:13; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2433; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20145; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded PICT parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"PICT"; content:"|00 01 41 41 41 01 41 41 41 01|"; within:10; distance:11; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2435; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20148; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded PICT parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"PICT"; content:"|00 02 E0 80 CC CC 58 58 58 58|"; within:10; distance:13; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2434; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20147; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded BMP parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|42 00 00 00 28 00 00 00 AB AA AA 0A 40 00 00 00 01|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2438; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20171; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded BMP parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|12 0B 00 00 12 0B 00 00 00 01 00 00 00 01 00 00 41 41 41 41 41 41|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2438; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20170; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded PCX parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|20 20 20 0A 0A 05 01 08 00 00 00 00 03 00 FF FF 2C 01 2C 01|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-2437; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20150; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed jpeg2000 superbox attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JPXDecode"; content:"|92 6A 70 32 68 00 00 00 16 69 68 64 72 00 00 02 57 00 00 03 20 00 10 07 07 01 00 00 00 03 44 70 63 6C 72 00 20 19 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0602; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18455; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe JPEG2k uninitialized QCC memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|12 12 E0 0F 12 12 E0 0F 12 12 FF|]|00 16|LL"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-2994; classtype:attempted-user; sid:16325; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; content:"8 0 obj"; pcre:"/^\s*<<\s*\/([^>#]*#){9}[^>]*>>\s*stream/smR"; content:"xref|0D 0A|0 9|0D 0A|0000000000 65535 f|0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:20575; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader PRC file MarkupLinkedItem arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|5B 1D 3E DD 05 78 4B E6 00 00 00 00 98 67 25 46|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-4369; reference:url,www.adobe.com/support/security/bulletins/apsb11-30.html; classtype:attempted-user; sid:20802; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader BMP color unused corruption"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|6D 70 29 3E 3E 0A 65 6E 64 6F 62 6A 0A 32 30 20 30 20 6F 62 6A 0A 3C 3C 2F 53 75 62 74 79 70 65 2F 69 6D 61 67 65 23 32 66 62 6D 70 3E 3E 73 74 72 65 61 6D 0A 42 4D 80 07 00 00 00 00 00 00 76 00 00 00 28 00 00 00 01 00 00 00 01 00 00 00 01|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-4372; reference:url,www.adobe.com/support/security/bulletins/apsb12-01.html; classtype:attempted-user; sid:20919; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF hostile PDF associated with Laik exploit kit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; content:") /CreationDate (D:20110405234628)>>"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:21417; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Possible malicious pdf - new pdf exploit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"NEW PDF EXPLOIT"; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:21431; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Possible unknown malicious PDF"; flow:to_client, established; flowbits:isset, file.pdf; file_data; content:"%PDF-1."; fast_pattern:only; content:"=new Array"; pcre:"/\d+?(.)\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+/R"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0188; classtype:attempted-user; sid:21429; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Possible unknown malicious PDF"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; fast_pattern:only; content:"arr=|27|"; pcre:"/\d+?(.)\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0188; classtype:attempted-user; sid:21453; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Possible malicious pdf detection - qwe123"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; content:"qwe123"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:21583; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF PDF obfuscation attempt"; flow:to_client, established; flowbits:isset,file.pdf; file_data; content:"application/x-javascript"; pcre:"/<script.*?(&#\d+\x3b){30}/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:21582; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader shell metacharacter code execution attempt"; flow:to_server,established; flowbits:isset,smtp.contenttype.attachment; content:"begin|20|"; pcre:"/^begin\s\d+?\s[^\x20\x0d\x0a]*?\x60[^\x20\x0d\x0a]*?\x60/m"; metadata:service smtp; reference:bugtraq,10931; reference:cve,2004-0630; classtype:attempted-user; sid:18526; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader DCT dequantizer memory corruption attempt"; flow:to_client,established; file_data; content:"|FF DB 00 84 00 01 01 01 01 01 01 01 01 01 01 01|"; content:"|FF DA 00 08 01 01 01 06 3F 00 79 4B EA 28 27 1D 16 B6 AA DC 4E 4E 6F 92 38 02 6D CA CE|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-4370; reference:url,www.adobe.com/support/security/bulletins/apsb12-01.html; classtype:attempted-user; sid:20920; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app|2E|removeToolButton"; fast_pattern:only; content:"app|2E|addToolButton"; nocase; pcre:"/stream\s*?app\x2Eaddtoolbutton\x28\x7B[^\x7d]*?\x09cname\x3A\s*?\x22(?P<buttonname>\w+?)[^\x7D]*?\x09cenable\x3A\s*?\x22app\x2Eremovetoolbutton\x28\x27(?P=buttonname)\x27\x29[^\x7D]*?\x7D\x29\x3B\s*?endstream/smi"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,52949; reference:cve,2012-0775; reference:url,adobe.com/support/security/bulletins/apsb12-08.html; classtype:attempted-user; sid:21881; rev:6;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"m|00|s|00|i|00|e|00|x|00|e|00|c|00|.|00|e|00|x|00|e|00 00 00|"; fast_pattern:only; metadata:policy security-ips drop, service netbios-ssn; reference:bugtraq,52952; reference:cve,2012-0776; reference:url,www.adobe.com/support/security/bulletins/apsb12-08.html; classtype:attempted-user; sid:21858; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt"; flow:to_server,established; content:"|2F|msiexec.exe"; fast_pattern:only; http_uri; metadata:policy security-ips drop, service http; reference:bugtraq,52952; reference:cve,2012-0776; reference:url,www.adobe.com/support/security/bulletins/apsb12-08.html; classtype:attempted-user; sid:21859; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Possible malicious PDF detection - qweqwe="; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"><qwe qweqwe="; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:22941; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Unknown malicious PDF - CreationDate"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/CreationDate (D:20120421195855"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:23044; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Unknown malicious PDF - Title"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Title (0aktEPbG1LcQ9f6d8l32m7gI5eY4)>>"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:23045; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Unknown malicious PDF - CreationDate"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/CreationDate (D:20100829161936"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:23043; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Unknown Malicious PDF - CreationDate"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<</Creator(sli)/ModDate(D:20080817171147-07|27|00|27|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:23140; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XDP encoded download attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"JVBERi"; fast_pattern:only; content:"<xdp:xdp"; nocase; content:"<pdf"; distance:0; nocase; content:"<document"; distance:0; nocase; content:"<chunk"; distance:0; nocase; content:"JVBERi"; within:500; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp; reference:url,partners.adobe.com/public/developer/en/xml/xdp_2.0.pdf; classtype:misc-activity; sid:23166; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat JavaScript getIcon method buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|55 1E 42 91 74 A1 4A FA 21 C7 DB 53 14 DE DE 9E A4 6A CD ED 29 C7 4E DE 9E BC ED 49 B3 35 11 D6|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:23503; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe flash player newfunction memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:" (lolol|5C|056swf)"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-1297; classtype:attempted-user; sid:23512; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Microsoft Windows kernel-mode drivers core font parsing integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"hmtx"; content:"cmap"; content:"hhea"; pcre:"/(cmap|head|hhea|hmtx|maxp|name|OS\x2F2|post).{4}([\x80-\xFF]|.{4}[\x80-\xFF])/s"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2514; reference:cve,2010-2862; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-065; classtype:attempted-admin; sid:23508; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/Unix"; fast_pattern; nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fUnix\s*\x28/smi"; metadata:service smtp; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:23514; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Possible unknown malicious PDF"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; fast_pattern:only; content:"arr=|27|"; pcre:"/\d+?(.)\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+/"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2010-0188; classtype:attempted-user; sid:23520; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"stream|0A 78 9C ED 5B 49 73 E2 38 14 BE F7 AF 70 79 6E C3 34 62 87 A4 42 BA C4 36 90 C4 01 C2 9A 5C BA 84 2D 1B 07 DB 32 96 1C 03 BF 7E 24 2F 6C D3 3D 9D C3 54 4D 4D 95 5C F5 81 DE|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2006-3459; reference:cve,2010-0188; classtype:attempted-user; sid:23518; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"stream|0A 78 9C ED 5B 5B 6F E2 38 14 7E EF AF 88 B2 6F CB 0E E6 0E AD 0A 23 73 5B 68 9B 02 E5 DA BE 8C 4C E2 04 97 24 0E B1 D3 00 BF 7E ED 24 B4 94 99 DD 19 69 1F 56 5A 39 D2 07 E7 F6 1D 1F DB 71 9E 7C|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2006-3459; reference:cve,2010-0188; classtype:attempted-user; sid:23517; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed TIFF remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|EB|/|ED|Z|B9|qX|F4 D8|C|F5|a|BF|+|0D 8C D2 F3 DD|*|EE 09|W|B1 B3 9B|P|EB AD D1 B3 07 A0|4|D8|m|7C 7F EB B5 EF|j|E8 F5|m[+t|8F 7C BC|f|BB 86|ql|F7 C0 C3 E8|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2010-0188; reference:url,www.adobe.com/support/security/bulletins/apsb10-07.html; classtype:attempted-user; sid:23524; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/Mac"; fast_pattern; nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fMac\s*\x28/smi"; metadata:service smtp; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:23513; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/S/JavaScript"; content:"this.media.newPlayer"; pcre:"/^\x5C?\x28null\x5C?\x29/R"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:23506; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader compressed media.newPlayer memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"&|EA A7 7C 9A 1D C4 1C FE|&|7F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-4324; classtype:attempted-user; sid:23505; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader File containing Flash use-after-free attack attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|3C 3C 2F 46 69 6C 74 65 72 2F 46 6C 61 74 65 44 65 63 6F 64 65 2F 46 69 72 73 74 20 39 39 2F 4C 65 6E 67 74 68 20 35 31 31 2F 4E 20 31 35 2F 54 79 70 65 2F 4F 62 6A 53 74 6D 3E 3E 73 74 72 65 61 6D 0D 0A 68 DE 6C 52 DB 6E E2 30|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-1297; classtype:attempted-user; sid:23510; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat JavaScript getIcon method buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|B3 2E 86 F7 BA C8 F4 4A 2B C7 AB 99 E8 6B 72 99 39 40 C7 59 B1 2E C9 D1 AE 0C 6E 39 A8 E5 DC 60|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:23502; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"obj"; nocase; content:"<<"; within:4; content:"/Launch"; within:100; fast_pattern; content:"/F"; pcre:"/\/F[^\/>]+\.(exe|dll|swf)/smi"; metadata:service smtp; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:23516; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed TIFF remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"jNLjwFWnTvuP9HG9OL+q916q915//n</image"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2010-0188; reference:url,www.adobe.com/support/security/bulletins/apsb10-07.html; classtype:attempted-user; sid:23523; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader javascript getIcon method buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"Collab.getIcon"; fast_pattern:only; pcre:!"/Collab\.getIcon[^\x28]*?\x28\s*([\x22\x27])[^\1]{1,256}\1\s*\x29/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:23501; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader spell.customDictionaryOpen exploit attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"spell.customDictionaryOpen|5C|(0,dict|5C|)"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,34740; reference:cve,2009-1493; classtype:attempted-user; sid:23500; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader authplay.dll vulnerability exploit attempt"; flow:to_server,established; file_data; content:"|43 57 53 09 A2 D2 00 00 78 9C EC BD 79 7C 54 C5 D2 37 DE 7D|"; isdataat:316,relative; content:"|CF E7 77 BC EB 19 53 BF 99 F7 7C FB B8 D4 4B FA 7C EE E7 AC C7 83 AD 58 D8 F3 35 8B A5 1E B4 67 4D EA 3F EE 9E 3F 79 C9 AB ED 63 B6 F4 58 7A 57|"; within:48; distance:316; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:23511; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Possible unknown malicious PDF"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; fast_pattern:only; content:"new Array"; pcre:"/\d+?(.)\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+/"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2010-0188; classtype:attempted-user; sid:23521; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed Richmedia annotation exploit attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Subtype/RichMedia"; fast_pattern:only; content:"/Annot"; pcre:"/\/Rect\s*\[[^\]]*\./"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-0197; reference:cve,2010-1297; classtype:attempted-admin; sid:23509; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/DOS"; fast_pattern; nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fDOS\s*\x28/smi"; metadata:service smtp; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:23515; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malicious TIFF remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|3C 3C 2F 23 34 36 23 36 39 6C 23 37 34 23 36 35 23 37 32 2F|"; content:"stream|0D 0A 78 9C A5 7B|"; nocase; content:"|93 A3|"; within:2; distance:1; content:"|B6 E6 7B FF 8A|"; within:5; distance:1; content:"|B7|"; within:1; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2010-0188; reference:url,www.securityfocus.com/bid/38195/exploit; classtype:attempted-user; sid:23522; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<template xmlns="; content:"http|3A|//www.xfa.org/"; distance:1; content:"<event activity"; distance:0; content:"initialize"; within:50; distance:1; content:"application/x-javascript"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-1525; reference:cve,2012-1530; reference:cve,2019-7028; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; reference:url,prosauce.org/blog/2010/08/analyzing-cve-2010-0188-exploits-the-legend-of-pat-casey-part-1/; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; reference:url,www.thebaskins.com/main/component/content/article/15-work/58-malicious-pdf-analysis-reverse-code-obfuscation; reference:url,www.virustotal.com/file/ECA91825CA5CF6D8C06815CB471A0968F540878121CB13F971FD45C3EA3EBBAC/analysis/; classtype:trojan-activity; sid:23612; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<template xmlns="; content:"http|3A|//www.xfa.org/"; distance:1; content:"<event activity"; distance:0; content:"initialize"; within:50; distance:1; content:"application/x-javascript"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1525; reference:cve,2012-1530; reference:cve,2019-7028; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; reference:url,prosauce.org/blog/2010/08/analyzing-cve-2010-0188-exploits-the-legend-of-pat-casey-part-1/; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; reference:url,www.thebaskins.com/main/component/content/article/15-work/58-malicious-pdf-analysis-reverse-code-obfuscation; reference:url,www.virustotal.com/file/ECA91825CA5CF6D8C06815CB471A0968F540878121CB13F971FD45C3EA3EBBAC/analysis/; classtype:trojan-activity; sid:23611; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader invalid inline image attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"BI|0A|"; content:"/ColorSpace"; within:100; pcre:"/^\s*?[^(ID)]\d/R"; content:"ID"; distance:0; content:"|0A|EI|20 20|"; distance:0; metadata:policy security-ips drop, service smtp; reference:cve,2012-4151; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23871; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader postscript font execution malformed subroutine entries attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|1D CD 77 ED B6 D2 C2 E2 FD 7A C5 C0 EE FE AC A0 11 ED 3B 6A 90 84 3B CA A8 49 3E E9 9E 59 63 1E|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4152; reference:cve,2012-4153; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23874; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader invalid font WeightVector attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"obj"; content:"%!PS"; distance:0; content:"Blend"; distance:0; content:"|0D 2F|Weight"; distance:0; content:!"Vector ["; within:8; metadata:policy security-ips drop, service smtp; reference:cve,2012-4152; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23865; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<</Type/PROJCS"; fast_pattern; content:"/WKT|28|"; within:15; isdataat:1024,relative; content:!">"; within:1024; metadata:policy security-ips drop, service smtp; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23891; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader invalid inline image attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"BI|0A|"; content:"/ColorSpace"; within:100; pcre:"/^\s*?[^(ID)]\d/R"; content:"ID"; distance:0; content:"|0A|EI|20 20|"; distance:0; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4151; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23870; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JBIG2 encoding invalid symbol in dictionary segment"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.4"; content:">>stream"; content:"|00 01 00 00 FF FB FF FF FF FF FF FF FF FF FF FF|"; within:512; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4150; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-admin; sid:23883; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader invalid inline image attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|30 34 9C 17 0E D6 9C 3D 64 EC E2 A4 D2 E0 7F EA FC DA 2E 70 CF D7 15 4E AC D7 11 7D 2F 94 6B 8E|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4151; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23868; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Type /Annot|0A|"; nocase; content:"/Subtype/RichMedia"; distance:0; nocase; content:"getAnnotsRichMedia|28|"; fast_pattern:only; pcre:"/var (?P<var>\w+)\s*=\s*getAnnotsRichMedia\x28.*?(?P=var)\.(pop|shift).*?>> endobj/ims"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4147; classtype:attempted-dos; sid:23882; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader invalid inline image attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"BI|0A|"; content:"/CS"; within:100; pcre:"/^\s*?[^(ID)]\d/R"; content:"ID"; distance:0; content:"|0A|EI|20 20|"; distance:0; metadata:policy security-ips drop, service smtp; reference:cve,2012-4151; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23867; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Blackhole exploit kit related malicious file detection"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; depth:7; content:"<</Creator("; distance:0; nocase; pcre:"/<<\x2fCreator\x28\d{2,3}(.)\d{2,3}\1\d{2,3}\1\d{2,3}\1/smi"; content:")/ModDate"; distance:0; nocase; metadata:service smtp; classtype:trojan-activity; sid:23852; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Type /Annot|0A|"; nocase; content:"/Subtype/RichMedia"; distance:0; nocase; content:"getAnnotsRichMedia|28|"; fast_pattern:only; pcre:"/var (?P<var>\w+)\s*=\s*getAnnotsRichMedia\x28.*?(?P=var)\.(pop|shift).*?>> endobj/ims"; metadata:policy security-ips drop, service smtp; reference:cve,2012-4147; classtype:attempted-dos; sid:23881; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader invalid inline image attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"|30 34 9C 17 0E D6 9C 3D 64 EC E2 A4 D2 E0 7F EA FC DA 2E 70 CF D7 15 4E AC D7 11 7D 2F 94 6B 8E|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2012-4151; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23869; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader invalid font WeightVector attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"obj"; content:"%!PS"; distance:0; content:"Blend"; distance:0; content:"|0D 2F|Weight"; distance:0; content:!"Vector ["; within:8; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4152; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23864; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader invalid inline image attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"BI|0A|"; content:"/CS"; within:100; pcre:"/^\s*?[^(ID)]\d/R"; content:"ID"; distance:0; content:"|0A|EI|20 20|"; distance:0; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4151; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23866; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Blackhole exploit kit related malicious file detection"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; depth:7; content:"<</Creator("; distance:0; nocase; pcre:"/<<\x2fCreator\x28\d{2,3}(.)\d{2,3}\1\d{2,3}\1\d{2,3}\1/smi"; content:")/ModDate"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:23851; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<</Type/GEOGCS"; fast_pattern; content:"/WKT|28|"; within:15; isdataat:1024,relative; content:!">"; within:1024; metadata:policy security-ips drop, service smtp; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23892; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader postscript font execution malformed subroutine entries attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|1D CD 77 ED B6 D2 C2 E2 FD 7A C5 C0 EE FE AC A0 11 ED 3B 6A 90 84 3B CA A8 49 3E E9 9E 59 63 1E|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2012-4152; reference:cve,2012-4153; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23875; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JBIG2 encoding invalid symbol in dictionary segment"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.4"; content:">>stream"; content:"|00 01 00 00 FF FB FF FF FF FF FF FF FF FF FF FF|"; within:512; metadata:policy security-ips drop, service smtp; reference:cve,2012-4150; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-admin; sid:23884; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader collab.collectEmailInfo exploit attempt"; flow:to_client,established; file_data; content:"collab.collectEmailInfo"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,27641; reference:cve,2007-5659; reference:cve,2008-0655; classtype:attempted-user; sid:13478; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader collab.collectEmailInfo exploit attempt - compressed"; flow:to_client,established; file_data; content:"|F7 C5|d|F2 F8 F9|e|B7 EF 8B E9 AF BF F2|@|F1 FB FB A2 9C D9 B3 FB F7 05 CE|>|1E FB F3 E5|x|28|>=~-|B6|Y|DA E9 BC|9|9E A7|&|E6 F4|l2|8A CB|"; metadata:service http; reference:bugtraq,27641; reference:cve,2008-0655; classtype:attempted-user; sid:13477; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader Javascript buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<826D67E8A5B1CA4FB"; fast_pattern; content:"<471523284C528D4D9BFB27665CACF0C0>"; distance:0; nocase; content:"|5D 6F DC B8 F1 AF 08 06 7C F0 D6 97 1C 29 92 12|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-5659; classtype:attempted-user; sid:23899; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader Javascript buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<826D67E8A5B1CA4FB"; fast_pattern; content:"<471523284C528D4D9BFB27665CACF0C0>"; distance:0; nocase; content:"|5D 6F DC B8 F1 AF 08 06 7C F0 D6 97 1C 29 92 12|"; distance:0; metadata:service smtp; reference:cve,2007-5659; classtype:attempted-user; sid:23900; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader collab.collectEmailInfo exploit attempt"; flow:to_server,established; file_data; content:"collab.collectEmailInfo"; fast_pattern:only; metadata:service smtp; reference:bugtraq,27641; reference:cve,2007-5659; reference:cve,2008-0655; classtype:attempted-user; sid:23898; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader Javascript buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Producer (Python PDF Library |5C|055 http"; fast_pattern; content:"|57 E3 00 41 90 43 4E 39 64 6F 41 0E 24 9B 1C 6B|"; within:800; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-5659; classtype:attempted-user; sid:23901; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader Javascript buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"Producer (Python PDF Library |5C|055 http"; fast_pattern; content:"|57 E3 00 41 90 43 4E 39 64 6F 41 0E 24 9B 1C 6B|"; within:800; metadata:service smtp; reference:cve,2007-5659; classtype:attempted-user; sid:23902; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JBIG2 remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"JBIG2Decode"; nocase; content:"stream"; distance:0; nocase; pcre:"/JBIG2Decode.*?stream(\x0d\x0a|\x0a|\x0d)/si"; byte_test:1,&,0x40,4,relative; byte_test:1,!&,128,4,relative; byte_test:1,!&,32,4,relative; byte_test:1,=,0,5,relative; byte_test:4,>,0x1000,6,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:15358; rev:11;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"8 0 obj"; pcre:"/^\s*<<\s*\/([^>#]*#){9}[^>]*>>\s*stream/smR"; content:"xref|0D 0A|0 9|0D 0A|0000000000 65535 f|0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:24124; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malicious charstring stream attempt"; flow:to_server,established; file_data; content:"|F7 0F 8E 10 DF 11 F0 13 0F 14 58 15 4D 16 7E 17 A6 19 15 1A 8C 1B 8E 1C E4 1E 2B 1F 13 20 26 22 04 24 1B 25 53 25 B3 26 A4 27 F8 28 D4 29 E0 2A|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:cve,2012-4159; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:24149; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded TTF bytecode memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|2C 23 4B 54 58 20 20 60 B0 01 60 25 8A 38 1B 23 21 59 B8 FF FF 62 2D|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,55015; reference:cve,2012-4154; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:24152; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malicious charstring stream attempt"; flow:to_client,established; file_data; content:"|F7 0F 8E 10 DF 11 F0 13 0F 14 58 15 4D 16 7E 17 A6 19 15 1A 8C 1B 8E 1C E4 1E 2B 1F 13 20 26 22 04 24 1B 25 53 25 B3 26 A4 27 F8 28 D4 29 E0 2A|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4159; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:24148; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader free text annotation invalid IT value denial of service attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Type"; content:"/Annot"; within:10; content:"/Subtype"; distance:0; content:"/FreeText"; within:15; content:"/IT/"; distance:0; pcre:"/\x2fFreeText[^>]+?\x2fIT\x2f((?!FreeText(Typewriter|Callout)).)+?\b/"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4149; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:trojan-activity; sid:24154; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader TrueType font corrupt header attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|00 00 00 02 00 01 00 00 00 00 00 14 00 03 00 00 00 00 01 1A|"; byte_jump:4,0,relative,post_offset -4; content:"|00 0C 00 52|"; within:4; byte_test:4,<,0x10,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-4157; reference:url,www.adobe.com/support/security/advisories/apsa12-16.html; classtype:attempted-user; sid:24151; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader free text annotation invalid IT value denial of service attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Type"; content:"/Annot"; within:10; content:"/Subtype"; distance:0; content:"/FreeText"; within:15; content:"/IT/"; distance:0; pcre:"/\x2fFreeText[^>]+?\x2fIT\x2f((?!FreeText(Typewriter|Callout)).)+?\b/"; metadata:policy security-ips drop, service smtp; reference:cve,2012-4149; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:trojan-activity; sid:24155; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader embedded TTF bytecode memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|2C 23 4B 54 58 20 20 60 B0 01 60 25 8A 38 1B 23 21 59 B8 FF FF 62 2D|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; reference:bugtraq,55015; reference:cve,2012-4154; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:24153; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TrueType font corrupt header attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|00 00 00 02 00 01 00 00 00 00 00 14 00 03 00 00 00 00 01 1A|"; byte_jump:4,0,relative,post_offset -4; content:"|00 0C 00 52|"; within:4; byte_test:4,<,0x10,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4157; reference:url,www.adobe.com/support/security/advisories/apsa12-16.html; classtype:attempted-user; sid:24150; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Blackberry Server PDF JBIG2 numnewsyms remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"JBIG2Decode"; nocase; content:"stream"; distance:0; pcre:"/JBIG2Decode.*?stream(\x0d\x0a|\x0a|\x0d)/smi"; byte_test:1, !&, 63, 4, relative; byte_test:4, >, 2147483647, 17, relative; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,35102; reference:cve,2009-2643; reference:url,www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB18327; classtype:attempted-admin; sid:16336; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF XPDF ObjectStream integer overflow"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Type/ObjStm"; nocase; pcre:"/Type\x2FObjStm[^>]*?\x2FN\s+\d{7}/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,36703; reference:bugtraq,37167; reference:cve,2009-3608; classtype:attempted-user; sid:16335; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF xpdf ObjectStream integer overflow"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"Type/ObjStm"; nocase; pcre:"/Type\x2FObjStm[^>]*?\x2FN\s+\d{7}/smi"; metadata:service smtp; reference:bugtraq,36703; reference:bugtraq,37167; reference:cve,2009-3608; classtype:attempted-user; sid:24266; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Overly large CreationDate within a pdf - likely malicious"; flow:to_server,established; flowbits:isset,file.pdf; content:"/CreationDate("; isdataat:500,relative; content:")>>"; distance:0; pcre:"/CreationDate\x28[^\x3c\x29]{500}/"; metadata:service smtp; classtype:misc-activity; sid:24264; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/FT"; isdataat:5,relative; pcre:"/^\s+\/(?!Btn|Tx|Ch|Sig)/R"; content:"/Subtype"; within:200; distance:-100; content:"/Widget"; within:8; fast_pattern; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4148; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:24506; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Sophos Antivirus PDF parsing stack overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; nocase; content:"|49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24|"; within:200; metadata:service smtp; reference:url,lock.cmpxchg8b.com/sophailv2.pdf; reference:url,nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/; classtype:attempted-user; sid:24626; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Sophos Antivirus PDF parsing stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; nocase; content:"|49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24|"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:url,lock.cmpxchg8b.com/sophailv2.pdf; reference:url,nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/; classtype:attempted-user; sid:24625; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader empty object page tree node reference attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Pages"; nocase; content:"/XObject"; nocase; content:"/Subtype "; distance:0; nocase; pcre:"/obj\s*?<<[^>]*?\/Pages\s+?(?P<ref>\d+)\s+?\d+?\s+?R[^>]*?>>.*?(?P=ref)\s+?\d+?\s+?obj\s*?<<\s*?>>\s*?endobj/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,group-ib.com/index.php/7-novosti/672-group-ib-us-zero-day-vulnerability-found-in-adobe-x; classtype:attempted-user; sid:24721; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader empty object page tree node reference attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Pages"; nocase; content:"/XObject"; nocase; content:"/Subtype "; distance:0; nocase; pcre:"/obj\s*?<<[^>]*?\/Pages\s+?(?P<ref>\d+)\s+?\d+?\s+?R[^>]*?>>.*?(?P=ref)\s+?\d+?\s+?obj\s*?<<\s*?>>\s*?endobj/si"; metadata:service smtp; reference:url,group-ib.com/index.php/7-novosti/672-group-ib-us-zero-day-vulnerability-found-in-adobe-x; classtype:attempted-user; sid:24722; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Sophos Antivirus PDF parsing stack overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<</Filter"; nocase; content:"/Standard"; within:15; fast_pattern; nocase; content:"/Length"; within:15; nocase; byte_test:10,>,256,0,relative,string; metadata:service smtp; reference:url,lock.cmpxchg8b.com/sophailv2.pdf; reference:url,nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/; classtype:attempted-user; sid:24764; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Sophos Antivirus PDF parsing stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<</Filter"; nocase; content:"/Standard"; within:15; fast_pattern; nocase; content:"/Length"; within:15; nocase; byte_test:10,>,256,0,relative,string; metadata:service ftp-data, service http, service imap, service pop3; reference:url,lock.cmpxchg8b.com/sophailv2.pdf; reference:url,nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/; classtype:attempted-user; sid:24763; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader structtreeroot children recursive call denial of service attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|0A 73 74 72 65 61 6D 0D 0A 78 9C BD 57 4D 6F DB 48 0C BD 2F B0 FF 81 C7 EC 49 F3 FD 01 14 05 D2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0626; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:denial-of-service; sid:25469; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF OpenType parsing buffer overflow attempt"; flow:to_client, established; flowbits:isset,file.pdf; file_data; content:"/Type /Font|0A|/Subtype /TrueType|0A|"; content:"ttcf"; distance:0; byte_test:4,>,0x40000000,4,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0604; classtype:attempted-user; sid:25461; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Javascript openDoc UNC network request attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"obj"; nocase; content:"<<"; within:4; content:".openDoc("; distance:0; nocase; content:"cPath:"; distance:0; nocase; content:"|5C 5C 5C 5C|"; within:7; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,57295; reference:cve,2013-0622; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:policy-violation; sid:25450; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader structtreeroot children recursive call denial of service attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"obj 58 878 <</P 52 0 R/S/Textbox/Type/StructElem/K[ 58 0 R 60 0 R 65 0 R 66 0 R 71 0 R] /Pg 3 0 R>>"; fast_pattern:only; content:"obj 52 968 <</P 49 0 R/S/Slide/Type/StructElem/K[ 53 0 R 56 0 R 58 0 R] /Pg 3 0 R>>"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0626; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:denial-of-service; sid:25468; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF OpenType parsing buffer overflow attempt"; flow:to_server, established; flowbits:isset,file.pdf; file_data; content:"|F1 B2 8D 48 25 6C 36 DB 82 24 D0 62 42 42 82 B4 26 B0 01 95|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0604; classtype:attempted-user; sid:25464; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|00 00 00 0C 6A 50 20 20 0D 0A 87|"; fast_pattern:only; content:"jp2c|FF 4F FF 51|"; byte_extract:4,4,xsiz,relative; byte_test:4,<,xsiz,12,relative; metadata:policy max-detect-ips drop, policy security-ips alert, service smtp; reference:cve,2013-0621; reference:cve,2014-8456; reference:cve,2016-3319; reference:url,adobe.com/support/security/bulletins/apsb13-02.html; reference:url,adobe.com/support/security/bulletins/apsb14-28.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-102; classtype:misc-activity; sid:25460; rev:14;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader structtreeroot children recursive call denial of service attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|0A 73 74 72 65 61 6D 0D 0A 78 9C BD 57 4D 6F DB 48 0C BD 2F B0 FF 81 C7 EC 49 F3 FD 01 14 05 D2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0626; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:denial-of-service; sid:25467; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<template xmlns="; content:"http|3A|//www.xfa.org/"; distance:1; content:"<event activity"; distance:0; content:"initialize"; within:50; distance:1; content:"application/x-javascript"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-1525; reference:cve,2012-1530; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,prosauce.org/blog/2010/08/analyzing-cve-2010-0188-exploits-the-legend-of-pat-casey-part-1/; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; reference:url,www.thebaskins.com/main/component/content/article/15-work/58-malicious-pdf-analysis-reverse-code-obfuscation; reference:url,www.virustotal.com/file/ECA91825CA5CF6D8C06815CB471A0968F540878121CB13F971FD45C3EA3EBBAC/analysis/; classtype:trojan-activity; sid:25475; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF OpenType parsing buffer overflow attempt"; flow:to_server, established; flowbits:isset,file.pdf; file_data; content:"/Type /Font|0A|/Subtype /TrueType|0A|"; content:"ttcf"; distance:0; byte_test:4,>,0x40000000,4,relative; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0604; classtype:attempted-user; sid:25463; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Javascript openDoc UNC network request attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"obj"; nocase; content:"<<"; within:4; content:".openDoc("; distance:0; nocase; content:"cPath:"; distance:0; nocase; content:"|5C 5C 5C 5C|"; within:7; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57295; reference:cve,2013-0622; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:policy-violation; sid:25449; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader structtreeroot children recursive call denial of service attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"obj 58 878 <</P 52 0 R/S/Textbox/Type/StructElem/K[ 58 0 R 60 0 R 65 0 R 66 0 R 71 0 R] /Pg 3 0 R>>"; fast_pattern:only; content:"obj 52 968 <</P 49 0 R/S/Slide/Type/StructElem/K[ 53 0 R 56 0 R 58 0 R] /Pg 3 0 R>>"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0626; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:denial-of-service; sid:25466; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|00 00 00 0C 6A 50 20 20 0D 0A 87|"; fast_pattern:only; content:"jp2c|FF 4F FF 51|"; byte_extract:4,4,xsiz,relative; byte_test:4,<,xsiz,12,relative; metadata:policy max-detect-ips drop, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0621; reference:cve,2014-8456; reference:cve,2016-3319; reference:url,adobe.com/support/security/bulletins/apsb13-02.html; reference:url,adobe.com/support/security/bulletins/apsb14-28.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-102; classtype:misc-activity; sid:25459; rev:15;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF OpenType parsing buffer overflow attempt"; flow:to_client, established; flowbits:isset,file.pdf; file_data; content:"|F1 B2 8D 48 25 6C 36 DB 82 24 D0 62 42 42 82 B4 26 B0 01 95|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0604; classtype:attempted-user; sid:25462; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF parsing bad cmap format attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|BB 09 74 1C D5 9D FF FB BB 55 DD 5D D5 DD D5 DD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0623; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:attempted-user; sid:25536; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader TTF parsing bad cmap format attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|BB 09 74 1C D5 9D FF FB BB 55 DD 5D D5 DD D5 DD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0623; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:attempted-user; sid:25537; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader heap-based buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|FF DA 00 0C 03 02 00 02 11 03 11 00 3F 00 F4 E4 92 49 25 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57282; reference:cve,2013-0603; reference:url,www.adobe.com/support/security/bulletins/APSB13-02.html; classtype:attempted-user; sid:25563; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader heap-based buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; content:"|FF DA 00 0C 03 02 00 02 11 03 11 00 3F 00 F4 E4 92 49 25 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,57282; reference:cve,2013-0603; reference:url,www.adobe.com/support/security/bulletins/APSB13-02.html; classtype:attempted-user; sid:25564; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader FlateDecode integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/DecodeParms"; content:"/Predictor"; distance:0; byte_test:4,>,1,1,relative,string,dec; pcre:"/\x2fDecodeParms\s*\x3c{2}\s*(?=[^\x3e]*\/Predictor\s+0*(1\d|[2-9]))([^\x3e]*\x2fBitsPerComponent\s+\d{3}|[^\x3e]*\x2fColumns\s+\d{5}|[^\x3e]*\x2fColors\s+\d{5})/"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35294; reference:bugtraq,36600; reference:cve,2009-1856; reference:cve,2009-3459; classtype:attempted-user; sid:25588; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-PDF Adobe Acrobat Reader plugin bibutils.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|bibutils.dll"; nocase; http_uri; metadata:service http; reference:cve,2011-0570; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18441; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-PDF Adobe Acrobat Reader plugin cooltype.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|cooltype.dll"; nocase; http_uri; metadata:service http; reference:cve,2011-0570; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18442; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-PDF Adobe Acrobat Reader plugin sqlite.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|sqlite.dll"; nocase; http_uri; metadata:service http; reference:cve,2011-0570; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18431; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-PDF Adobe Acrobat Reader d3dref9.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|d3dref9.dll"; nocase; http_uri; metadata:service http; reference:cve,2011-0588; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18432; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-PDF Adobe Acrobat Reader plugin cryptocme2.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|cryptocme2.dll"; nocase; http_uri; metadata:service http; reference:cve,2011-0570; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18443; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-PDF Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|ace.dll"; nocase; http_uri; metadata:service http; reference:cve,2011-0570; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18439; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-PDF Adobe Acrobat Reader plugin agm.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|agm.dll"; nocase; http_uri; metadata:service http; reference:cve,2011-0570; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18440; rev:12;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JPX malformed code-block width memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"JPXDecode|0A 3E 3E 0A|stream"; fast_pattern:only; content:"|6A 50 20 20|"; content:"|FF 4F FF 51|"; distance:0; byte_jump:2,36,relative,multiplier 3,big; content:"|FF 52 00 0C|"; within:4; byte_test:1,>,16,5,relative; metadata:service smtp; reference:bugtraq,35274; reference:bugtraq,35289; reference:bugtraq,35295; reference:cve,2009-1859; reference:cve,2009-1861; reference:url,www.adobe.com/support/security/bulletins/apsb09-07.html; classtype:attempted-user; sid:25767; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF EmbeddedFile contained within a PDF"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/EmbeddedFile"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:trojan-activity; sid:26022; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF PDF file with embedded PDF object"; flow:to_server,established; file_data; content:"EmbeddedFile"; nocase; content:"3C7064663E"; distance:0; nocase; content:"3C2F7064663E"; distance:0; nocase; metadata:service smtp; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:26079; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Nuance PDF reader launch overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"obj"; nocase; content:"<<"; within:4; content:"/Launch"; distance:0; nocase; isdataat:1024,relative; content:!">>"; within:1024; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-admin; sid:26082; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader javascript regex embedded sandbox escape attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|5C|(|5C|)|5C|(|5C|)|5C|(|5C|)|5C|(|5C|)|5C|(|5C|)"; fast_pattern; content:"RegEx"; within:100; distance:-100; pcre:"/^p?\s*\x5c\([^\x3b]*?\x5c\(\x5c\)\x5c\(\x5c\)\x5c\(\x5c\)\x5c\(\x5c\)\x5c\(\x5c\)/Rims"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-2550; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26650; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader dll injection sandbox escape"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 00 68 3F 00 0F 00 6A 00 6A 00 6A 00 68 6F 05 00 00 68 01 00 00 80 89 54 24 40 FF 54 24 4C 83 EC 0C 68 E0 01 00 00 8D 44 24 68 50 6A 00 6A 00 68 A9 05 00 00 FF B4 24 78 10 00 00 FF 54 24 50 68 C5 00 00 00|"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-2730; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26694; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"obj"; nocase; content:"<<"; within:4; content:"/La"; within:100; nocase; content:"/F"; pcre:"/\/La(.)*?\s*?\/F[^\/>]+\.(exe|dll|swf)/smi"; metadata:service smtp; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:26662; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"obj"; nocase; content:"<<"; within:4; content:"/La"; within:100; nocase; content:"/F"; pcre:"/\/La(.)*?\s*?\/F[^\/>]+\.(exe|dll|swf)/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:26661; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat file extension overflow attempt"; flow:to_server,established; content:"Content|2D|Type|3A|"; nocase; http_header; content:"application|2F|pdf"; within:30; fast_pattern; nocase; http_header; pcre:"/filename\x3d[^\r\n]*(\x2e[^\x3b\x3f\x2e\x22\x27\r\n]{18,}[\x22\x27])/Hsmi"; metadata:service smtp; reference:bugtraq,10696; reference:cve,2004-0632; classtype:attempted-user; sid:26755; rev:2;)
# alert tcp any any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader javascript regex embedded sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|5C|(|5C|)|5C|(|5C|)|5C|(|5C|)|5C|(|5C|)|5C|(|5C|)"; fast_pattern; content:"RegEx"; within:100; distance:-100; pcre:"/^p?\s*\x5c\([^\x3b]*?\x5c\(\x5c\)\x5c\(\x5c\)\x5c\(\x5c\)\x5c\(\x5c\)\x5c\(\x5c\)/Rims"; metadata:service smtp; reference:cve,2013-2550; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26817; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Foxit PDF Reader authentication bypass attempt"; flow:established,to_server; flowbits:isset,file.pdf; file_data; content:"Type"; nocase; content:"/Action"; distance:0; nocase; content:"Launch"; within:40; nocase; pcre:"/Type\s*\x2FAction.*?Launch.*?\x28\s*\x2f\w/smi"; metadata:service smtp; reference:cve,2009-0836; reference:url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4; classtype:attempted-user; sid:27690; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-PDF Foxit PDF Reader authentication bypass attempt"; flow:established,to_client; flowbits:isset,file.pdf; file_data; content:"Type"; nocase; content:"/Action"; distance:0; nocase; content:"Launch"; within:40; nocase; pcre:"/Type\s*\x2FAction.*?Launch.*?\x28\s*\x2f\w/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2009-0836; reference:url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4; classtype:attempted-user; sid:27689; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader PDSElementGetPageRangeList recursive call denial of service attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"endobj"; content:"/K"; within:50; fast_pattern; pcre:"/endobj\s+(?P<objnum>\d+)\s+0\s+obj\s*<<[^>]*\x2fK\s+(?P<objnum2>\d+)\s+0\s+.*?endobj\s+(?P=objnum2)\s+0\s*obj\s*<<[^>]*\x2fK\s+(?P=objnum)\s/smiO"; metadata:service smtp; reference:bugtraq,62429; reference:cve,2013-3351; reference:url,www.adobe.com/support/security/bulletins/apsb13-22.html; classtype:attempted-dos; sid:28618; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader PDSElementGetPageRangeList recursive call denial of service attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"endobj"; content:"/K"; within:50; fast_pattern; pcre:"/endobj\s+(?P<objnum>\d+)\s+0\s+obj\s*<<[^>]*\x2fK\s+(?P<objnum2>\d+)\s+0\s+.*?endobj\s+(?P=objnum2)\s+0\s*obj\s*<<[^>]*\x2fK\s+(?P=objnum)\s/smiO"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,62429; reference:cve,2013-3351; reference:url,www.adobe.com/support/security/bulletins/apsb13-22.html; classtype:attempted-dos; sid:28617; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader badly formatted type 0 font attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|6B C7 7B 05 9A 12 29 6F 19 ED 78 7D 4C 70 4B 06 8C 95 DF 9B 2C 0C 75 03 81 81 30 12 C5 39 AC BC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3357; reference:url,www.adobe.com/support/security/bulletins/apsb13-22.html; classtype:attempted-user; sid:28603; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader badly formatted type 0 font attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|D7 E4 FE BD A4 FF 5F 53 02 79 76 04 68 57 BA 4F D0 0B C1 6A 67 D2 83 AB 2E 79 89 20 BE 6D 23 E8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3357; reference:url,www.adobe.com/support/security/bulletins/apsb13-22.html; classtype:attempted-user; sid:28602; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader badly formatted type 0 font attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|6B C7 7B 05 9A 12 29 6F 19 ED 78 7D 4C 70 4B 06 8C 95 DF 9B 2C 0C 75 03 81 81 30 12 C5 39 AC BC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3357; reference:url,www.adobe.com/support/security/bulletins/apsb13-22.html; classtype:attempted-user; sid:28601; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader badly formatted type 0 font attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|D7 E4 FE BD A4 FF 5F 53 02 79 76 04 68 57 BA 4F D0 0B C1 6A 67 D2 83 AB 2E 79 89 20 BE 6D 23 E8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3357; reference:url,www.adobe.com/support/security/bulletins/apsb13-22.html; classtype:attempted-user; sid:28600; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat and Adobe Acrobat Reader field dictionary null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|34 30 2E 35 30 33 35 37 20 2D 31 30 36 2E 38 32 32 33 34 20 32 34 30 2E 35 30 33 35 37 20 39 33 2E 31 37 37 36 36 5D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3355; reference:url,adobe.com/support/security/bulletins/apsb13-22.html; classtype:attempted-user; sid:28598; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat and Adobe Acrobat Reader field dictionary null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|34 30 2E 35 30 33 35 37 20 2D 31 30 36 2E 38 32 32 33 34 20 32 34 30 2E 35 30 33 35 37 20 39 33 2E 31 37 37 36 36 5D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3355; reference:url,adobe.com/support/security/bulletins/apsb13-22.html; classtype:attempted-user; sid:28597; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader TTF remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|16 73 54 7B C9 8B 37 5D 23 7C 40 89 6B 46 57 7C AF 87 9A 2D C0 7D 0C 85 BF 10 B8 7D 61 82 BD C7 C6 79 48 9F 79 B2 31 79 AF 9B E1 9C CD|"; fast_pattern:only; content:"|7B 36 87 2E C4 1C 78 57 B6 B7 AE C4 78 BE B0 D4 99 B3 79 27 AB 23 84 D2 79 9A A5 C3 6F E2 7A 13 A0 A5 5A A4 7A 88 9B A5 45 02 7A E1 96|"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3354; reference:url,www.adobe.com/support/security/bulletins/apsb13-21.html; classtype:attempted-user; sid:28592; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|16 73 54 7B C9 8B 37 5D 23 7C 40 89 6B 46 57 7C AF 87 9A 2D C0 7D 0C 85 BF 10 B8 7D 61 82 BD C7 C6 79 48 9F 79 B2 31 79 AF 9B E1 9C CD|"; fast_pattern:only; content:"|7B 36 87 2E C4 1C 78 57 B6 B7 AE C4 78 BE B0 D4 99 B3 79 27 AB 23 84 D2 79 9A A5 C3 6F E2 7A 13 A0 A5 5A A4 7A 88 9B A5 45 02 7A E1 96|"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3354; reference:url,www.adobe.com/support/security/bulletins/apsb13-21.html; classtype:attempted-user; sid:28591; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader memory disclosure attempt"; flow:to_server,established; file_data; content:"|01 FF 3D 02 8C FF 86 03 6A 00 08 00 0E 00 41 B0 09 10 B0 08 D6 B1 00 0C F9 30 31 03 0F 01 06 23 22 2F 02 7A 05 11 01 0F 0D 03 0E 05 03 6A 57 7A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,62436; reference:cve,2013-3356; reference:url,www.adobe.com/support/security/bulletins/apsb13-22.html; classtype:attempted-user; sid:28578; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader memory disclosure attempt"; flow:to_client,established; file_data; content:"|01 FF 3D 02 8C FF 86 03 6A 00 08 00 0E 00 41 B0 09 10 B0 08 D6 B1 00 0C F9 30 31 03 0F 01 06 23 22 2F 02 7A 05 11 01 0F 0D 03 0E 05 03 6A 57 7A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,62436; reference:cve,2013-3356; reference:url,www.adobe.com/support/security/bulletins/apsb13-22.html; classtype:attempted-user; sid:28577; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat font parsing integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|78 9C 25 8B B1 0A C2 30 14 45 77 C1 7F 38 A3 0E C6 BC 0A 6D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,42203; reference:cve,2010-2862; reference:url,www.adobe.com/support/security/bulletins/apsb10-17.html; classtype:attempted-admin; sid:28624; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat font parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|78 9C 25 8B B1 0A C2 30 14 45 77 C1 7F 38 A3 0E C6 BC 0A 6D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42203; reference:cve,2010-2862; reference:url,www.adobe.com/support/security/bulletins/apsb10-17.html; classtype:attempted-admin; sid:28623; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed TIFF remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|76 6A 4B 2A D2 43 B0 97 BB 68 7B 55 04 0B 8A 1C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,38195; reference:cve,2010-0188; classtype:attempted-user; sid:28890; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed TIFF remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|28 2A 78 CF CB 29 E4 66 6F B9 44 40 11 7F FD 59|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,38195; reference:cve,2010-0188; classtype:attempted-user; sid:28889; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed TIFF remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|76 6A 4B 2A D2 43 B0 97 BB 68 7B 55 04 0B 8A 1C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,38195; reference:cve,2010-0188; classtype:attempted-user; sid:28888; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed TIFF remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|28 2A 78 CF CB 29 E4 66 6F B9 44 40 11 7F FD 59|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,38195; reference:cve,2010-0188; classtype:attempted-user; sid:28887; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed JBIG2 decode segment null pointer crash attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JBIG2Globals"; fast_pattern:only; content:"stream"; nocase; content:"|28|"; within:2; distance:5; byte_test:1,&,1,0,relative; byte_test:1,!&,2,0,relative; byte_test:1,!&,4,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,62431; reference:cve,2013-3352; reference:url,www.adobe.com/support/security/bulletins/apsb13-22.html; classtype:attempted-user; sid:29063; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed JBIG2 decode segment null pointer crash attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JBIG2Globals"; fast_pattern:only; content:"stream"; nocase; content:"|28|"; within:2; distance:5; byte_test:1,&,1,0,relative; byte_test:1,!&,2,0,relative; byte_test:1,!&,4,0,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,62431; reference:cve,2013-3352; reference:url,www.adobe.com/support/security/bulletins/apsb13-22.html; classtype:attempted-user; sid:29062; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.removeToolButton"; fast_pattern:only; content:"app.addToolButton"; nocase; pcre:"/^\s*?\x28[^\x29]*?\x7b[^\x7d]*?cName\s*?\x3a\s*?[\x22\x27](?P<cname>[^\x22\x27]+)[\x22\x27].*?cExec\s*?\x3a\s*?[\x22\x27][^\x22\x27]*?app\x2eremoveToolButton\s*?\x28\s*?[\x22\x27](?P=cname)[\x22\x27]/siR"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64804; reference:cve,2014-0496; reference:cve,2016-1079; reference:url,helpx.adobe.com/security/products/acrobat/apsb14-01.html; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:29410; rev:6;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.removeToolButton"; fast_pattern:only; content:"app.addToolButton"; nocase; pcre:"/^\s*?\x28[^\x29]*?\x7b[^\x7d]*?cName\s*?\x3a\s*?[\x22\x27](?P<cname>[^\x22\x27]+)[\x22\x27].*?cExec\s*?\x3a\s*?[\x22\x27][^\x22\x27]*?app\x2eremoveToolButton\s*?\x28\s*?[\x22\x27](?P=cname)[\x22\x27]/siR"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64804; reference:cve,2014-0496; reference:cve,2016-1079; reference:url,helpx.adobe.com/security/products/acrobat/apsb14-01.html; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:29409; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; content:"NDk3NTMyNGI2Njc4NmI2NzM3MzI3NTYzNDE2ZjU4Nzk0ODM3Nzk1YTRmNmY2"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-2462; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:attempted-user; sid:29622; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader pattern object memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Resources"; content:"obj|0A|"; content:"/Pattern"; within:40; fast_pattern; content:"|0A|endobj"; within:40; pcre:"/\bobj\x0a\x20*?\/Pattern\x20*?\x0aendobj\b/i"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64803; reference:cve,2014-0495; reference:url,helpx.adobe.com/security/products/acrobat/apsb14-01.html; classtype:attempted-user; sid:29669; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|93 54 64 45 C2 A3 74 36 17 D2 55 E2 65 F2 B3 84|"; fast_pattern:only; content:"/Subtype"; content:"/Widget"; within:20; content:"/AP"; within:30; content:"/N"; within:10; content:"/XObject"; content:"/Subtype"; within:30; content:"/Image"; within:30; content:"/DCTDecode"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64802; reference:cve,2014-0493; reference:url,helpx.adobe.com/security/products/reader/apsb14-01.html; classtype:attempted-user; sid:29903; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|93 54 64 45 C2 A3 74 36 17 D2 55 E2 65 F2 B3 84|"; fast_pattern:only; content:"/Subtype"; content:"/Widget"; within:20; content:"/AP"; within:30; content:"/N"; within:10; content:"/XObject"; content:"/Subtype"; within:30; content:"/Image"; within:30; content:"/DCTDecode"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64802; reference:cve,2014-0493; reference:url,helpx.adobe.com/security/products/reader/apsb14-01.html; classtype:attempted-user; sid:29902; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/XObject"; content:"/Subtype"; within:30; content:"/Image"; within:30; content:"/DCTDecode"; within:200; content:"|79 5B BF 64 C6 B7 11 DD 15 AD 6F AD 5D 60 93 DE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64802; reference:cve,2014-0493; reference:url,helpx.adobe.com/security/products/reader/apsb14-01.html; classtype:attempted-user; sid:29905; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader invalid JPEG stream double free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/XObject"; content:"/Subtype"; within:30; content:"/Image"; within:30; content:"/DCTDecode"; within:200; content:"|79 5B BF 64 C6 B7 11 DD 15 AD 6F AD 5D 60 93 DE|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64802; reference:cve,2014-0493; reference:url,helpx.adobe.com/security/products/reader/apsb14-01.html; classtype:attempted-user; sid:29904; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader field flags exploit attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Ff "; byte_test:10,!&,0x80000000,0,string,relative; byte_test:10,&,0x00100000,0,string,relative; metadata:service smtp; reference:cve,2011-0589; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:30236; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Foxit Reader CFF CharStrings buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|78 9C 63 64 60 61 64 60 64 64 14 76 74 72 76 71 75 D3 0E C9|"; fast_pattern:only; metadata:service smtp; reference:cve,2010-1797; reference:url,eternal-todo.com/blog/CVE-2010-1797-foxit-reader-exploit; classtype:attempted-user; sid:30771; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Foxit Reader CFF CharStrings buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|78 9C 63 64 60 61 64 60 64 64 14 76 74 72 76 71 75 D3 0E C9|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-1797; reference:url,eternal-todo.com/blog/CVE-2010-1797-foxit-reader-exploit; classtype:attempted-user; sid:30770; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader api call handling arbitrary execution attempt"; flow:to_server,established; file_data; content:"var params = { cVerb:|22|POST|22|, cURL:serverURL, oRequest:util.streamFromString(code), oHandler:{"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67365; reference:cve,2014-0525; reference:url,helpx.adobe.com/security/products/acrobat/apsb14-15.html; classtype:attempted-user; sid:31022; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader api call handling arbitrary execution attempt"; flow:to_client,established; file_data; content:"var params = { cVerb:|22|POST|22|, cURL:serverURL, oRequest:util.streamFromString(code), oHandler:{"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67365; reference:cve,2014-0525; reference:url,helpx.adobe.com/security/products/acrobat/apsb14-15.html; classtype:attempted-user; sid:31021; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<subform w=|22|576pt|22| h=|22|756pt|22|"; fast_pattern:only; content:"restoreState=|22|auto|22|"; nocase; content:"Subform1"; within:500; nocase; content:"x=|22|22.225mm|22| y=|22|19.05mm|22| w=|22|100mm|22| h=|22|50mm|22|"; within:150; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,66205; reference:bugtraq,66512; reference:cve,2014-0511; reference:cve,2014-0512; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-user; sid:31016; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<subform w=|22|576pt|22| h=|22|756pt|22|"; fast_pattern:only; content:"restoreState=|22|auto|22|"; nocase; content:"Subform1"; within:500; nocase; content:"x=|22|22.225mm|22| y=|22|19.05mm|22| w=|22|100mm|22| h=|22|50mm|22|"; within:150; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66205; reference:bugtraq,66512; reference:cve,2014-0511; reference:cve,2014-0512; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-user; sid:31015; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader DCT encoded stream null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|1B B7 68 EA 32 F9 27 C8 D1 62 A9 0E AD 14 D9 79 2A A9 0E 5E 86 8B F8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0526; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-user; sid:31012; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader DCT encoded stream null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|1B B7 68 EA 32 F9 27 C8 D1 62 A9 0E AD 14 D9 79 2A A9 0E 5E 86 8B F8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0526; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-user; sid:31011; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader length-compute UTF-16 string buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"MicroStation|20 38 2E 15 AD 23 19 31 39|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67369; reference:cve,2014-0524; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-user; sid:31009; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader length-compute UTF-16 string buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"MicroStation|20 38 2E 15 AD 23 19 31 39|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67369; reference:cve,2014-0524; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-user; sid:31008; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|66 BF 8F 98 F9 8E CE E1 F7 62 AC 15 4B DB CC 9B 8A 2B A5 15 56 2E 77 1C 59 DA 51 75 2E 7A E3 ED 86 B2 B8 C0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:31106; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|AA F1 8F C6 08 E6 17 1B B7 05 95 11 1E 88 32 5A 55 82 5B 58 F6 E6 84 98 38 B9 C2 5C E1 7C 9D 16 A5 71 E9 91|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:31105; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|66 BF 8F 98 F9 8E CE E1 F7 62 AC 15 4B DB CC 9B 8A 2B A5 15 56 2E 77 1C 59 DA 51 75 2E 7A E3 ED 86 B2 B8 C0|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:31104; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|AA F1 8F C6 08 E6 17 1B B7 05 95 11 1E 88 32 5A 55 82 5B 58 F6 E6 84 98 38 B9 C2 5C E1 7C 9D 16 A5 71 E9 91|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:31103; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".__defineSetter__("; content:"doc"; within:4; content:"app.beginPriv"; within:20; content:".__defineSetter__("; content:"user"; within:5; content:"app.trustedFunction"; within:25; content:"DynamicAnnotStore.call("; content:"app.beginPriv()|3B|"; content:"util.stringFromStream(util.readFileIntoStream("; fast_pattern:only; metadata:service smtp; reference:cve,2014-0521; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-user; sid:31292; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".__defineSetter__("; content:"doc"; within:4; content:"app.beginPriv"; within:20; content:".__defineSetter__("; content:"user"; within:5; content:"app.trustedFunction"; within:25; content:"DynamicAnnotStore.call("; content:"app.beginPriv()|3B|"; content:"util.stringFromStream(util.readFileIntoStream("; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-0521; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-user; sid:31291; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|2F|U3D|0A|/Length 17140|0A|/Type /3D|0A 3E 3E 0A|stream|0A 35 35 33 33 34 34|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,55024; reference:cve,2012-2049; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:31440; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|2F|U3D|0A|/Length 17140|0A|/Type /3D|0A 3E 3E 0A|stream|0A 35 35 33 33 34 34|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,55024; reference:cve,2012-2049; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:31439; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader U3D CLODMeshDeceleration code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"U3D|00|"; content:"|31 FF FF FF|"; distance:0; byte_jump:2,8,relative,little; byte_test:4,>,200,12,relative,little; content:"|3C FF FF FF|"; distance:0; byte_jump:2,8,relative,little; byte_test:4,<,200,12,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,37758; reference:bugtraq,67368; reference:cve,2009-3953; reference:cve,2014-0523; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; classtype:attempted-user; sid:31555; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader embedded PRC stream NULL dereference denial of service attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"9376f5dd858be96fbca0289c92534d7d602924149376f5dd858be96fbca0289c92534d4da028bc14"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,67360; reference:cve,2014-0522; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-dos; sid:31613; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded PRC stream NULL dereference denial of service attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"9376f5dd858be96fbca0289c92534d7d602924149376f5dd858be96fbca0289c92534d4da028bc14"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,67360; reference:cve,2014-0522; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-dos; sid:31612; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XDP encoded download attempt"; flow:to_server,established; flowbits:isset,file.xml; file_data; content:"JVBERi"; fast_pattern:only; content:"<xdp:xdp"; nocase; content:"<pdf"; distance:0; nocase; content:"<document"; distance:0; nocase; content:"<chunk"; distance:0; nocase; content:"JVBERi"; within:500; nocase; metadata:service smtp; reference:url,blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp; reference:url,partners.adobe.com/public/developer/en/xml/xdp_2.0.pdf; classtype:misc-activity; sid:31587; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|D7 65 67 84 91 BB F7 65 C4 9C D4 CA F8 6B 6D 43 36 AF F9 5A 97 50 1B 99 42 CC 7C 9D 68 4D 2C B8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:31687; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|D7 65 67 84 91 BB F7 65 C4 9C D4 CA F8 6B 6D 43 36 AF F9 5A 97 50 1B 99 42 CC 7C 9D 68 4D 2C B8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:31686; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader U3D format Line Set Continuation out-of-bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|79 66 71 EB 38 52 16 4B 94 20 1B 47 33 C9 A7 25 6F B4 97 25 52 4F 4A 60 DB 9B 5F 04 38 1E 45 B7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-0565; reference:url,helpx.adobe.com/security/products/reader/apsb14-20.html; classtype:attempted-user; sid:32022; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader U3D format Line Set Continuation out-of-bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|79 66 71 EB 38 52 16 4B 94 20 1B 47 33 C9 A7 25 6F B4 97 25 52 4F 4A 60 DB 9B 5F 04 38 1E 45 B7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0565; reference:url,helpx.adobe.com/security/products/reader/apsb14-20.html; classtype:attempted-user; sid:32021; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader string replacement heap overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".replace|28|"; pcre:"/(?P<string>\w+)\.replace\x28(?P=string)\x2C\s*(?P=string)\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,69827; reference:cve,2014-0567; reference:url,helpx.adobe.com/security/products/reader/apsb14-20.html; classtype:attempted-user; sid:32171; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader string replacement heap overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".replace|28|"; pcre:"/(?P<string>\w+)\.replace\x28(?P=string)\x2C\s*(?P=string)\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,69827; reference:cve,2014-0567; reference:url,helpx.adobe.com/security/products/reader/apsb14-20.html; classtype:attempted-user; sid:32170; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader pattern object memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Resources"; content:"obj|0A|"; content:"/Pattern"; within:40; fast_pattern; content:"|0A|endobj"; within:40; pcre:"/\bobj\x0a\x20*?\/Pattern\x20*?\x0aendobj\b/i"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,64803; reference:cve,2014-0495; reference:url,helpx.adobe.com/security/products/acrobat/apsb14-01.html; classtype:attempted-user; sid:32337; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JpxDecode invalid crgn memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"jp2c|FF 4F|"; content:"|FF 5E 00|"; distance:0; pcre:"/\xff\x5e\x00(\x05[\x80-\xff]|\x06\x00[\x80-\xff]|\x06[^\x00])/"; metadata:service smtp; reference:bugtraq,37757; reference:cve,2009-3955; classtype:attempted-user; sid:32358; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Subrs|20|"; byte_test:10,>,65535,0,relative,string; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8460; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32837; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Subrs|20|"; byte_test:10,>,65535,1,relative,string; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8460; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32836; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Subrs|20|"; byte_test:10,>,65535,1,relative,string; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8460; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32835; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Subrs|20|"; byte_test:10,>,65535,0,relative,string; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8460; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32834; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Cross Domain potentially malicious redirection attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"application/x-formcalc"; fast_pattern:only; content:"Get(|22|http://"; nocase; content:"Post(|22|http://"; distance:0; nocase; content:"</template>"; distance:0; nocase; metadata:service smtp; reference:cve,2014-8453; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32822; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Cross Domain potentially malicious redirection attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"application/x-formcalc"; fast_pattern:only; content:"Get(|22|http://"; nocase; content:"Post(|22|http://"; distance:0; nocase; content:"</template>"; distance:0; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-8453; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32821; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JBIG2 row out of bounds memory corruption attempt"; flow:to_server,established; file_data; content:"|59 36 B3 3A 5D 20 B4 23 18 8A 81 AB F3 EA 18 D7 14 51 83 50 70 0D 54 D0 22 84 BD FB 1E 27 C2 2E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8446; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32820; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JBIG2 row out of bounds memory corruption attempt"; flow:to_client,established; file_data; content:"|59 36 B3 3A 5D 20 B4 23 18 8A 81 AB F3 EA 18 D7 14 51 83 50 70 0D 54 D0 22 84 BD FB 1E 27 C2 2E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8446; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32819; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"31 37 30 31 34 31 31 38 33 34 36 30 34 36 39 32 33 31 37 33 31 36 38 37 33 30 33 37 31 35 38 38 34 31 30 35 37 32 39"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-9158; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-28.html; classtype:attempted-user; sid:32816; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"31 37 30 31 34 31 31 38 33 34 36 30 34 36 39 32 33 31 37 33 31 36 38 37 33 30 33 37 31 35 38 38 34 31 30 35 37 32 39"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-9158; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-28.html; classtype:attempted-user; sid:32815; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed U3D object use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/U3D"; content:"|42 DF CF 92 41 3D 67 1A 43 00 00 80 3F 15 00 46|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-9165; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32814; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed U3D object use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/U3D"; content:"|42 DF CF 92 41 3D 67 1A 43 00 00 80 3F 15 00 46|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-9165; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32813; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA loadXML escape attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|A5 9B DB 55 40 CF 75 5B 2B 19 A3 00 2F 10 70 59 A8 B2 96 9F 31 DA 9D 0E F3 28 5A AE E6 01 DA 24|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-8452; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:policy-violation; sid:32800; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA loadXML escape attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<!ENTITY"; nocase; content:"SYSTEM"; within:50; nocase; content:"http://"; within:10; nocase; content:"loadXML"; within:150; fast_pattern; nocase; pcre:"/<\x21ENTITY[^>]+SYSTEM[^>]+http\x3A\x2F\x2F.*?\x2EloadXML/smi"; metadata:service smtp; reference:cve,2014-8452; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:policy-violation; sid:32799; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA loadXML escape attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|A5 9B DB 55 40 CF 75 5B 2B 19 A3 00 2F 10 70 59 A8 B2 96 9F 31 DA 9D 0E F3 28 5A AE E6 01 DA 24|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-8452; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:policy-violation; sid:32798; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA loadXML escape attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<!ENTITY"; nocase; content:"SYSTEM"; within:50; nocase; content:"http://"; within:10; nocase; content:"loadXML"; within:150; fast_pattern; nocase; pcre:"/<\x21ENTITY[^>]+SYSTEM[^>]+http\x3A\x2F\x2F.*?\x2EloadXML/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-8452; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:policy-violation; sid:32797; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader U3D light resource orphaned array use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"pdf3dsdk_load_lights"; fast_pattern:only; content:"stream|0A|U3D"; content:"|51 FF FF FF|"; distance:0; metadata:policy security-ips alert, service smtp; reference:cve,2014-8445; reference:url,helpx.adobe.com/security/products/research/apsb14-28.html; classtype:attempted-user; sid:32796; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader U3D light resource orphaned array use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"pdf3dsdk_load_lights"; fast_pattern:only; content:"stream|0A|U3D"; content:"|51 FF FF FF|"; distance:0; metadata:policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8445; reference:url,helpx.adobe.com/security/products/research/apsb14-28.html; classtype:attempted-user; sid:32795; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Type/XRef/W["; nocase; content:!"]"; within:7; content:"stream"; within:50; nocase; pcre:"/\x2fType\x2fXRef\x2fW\x5b[^\x5d]*?\d{7,15}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,71568; reference:cve,2014-8449; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32794; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XRef object integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Type/XRef/W["; nocase; content:!"]"; within:7; content:"stream"; within:50; nocase; pcre:"/\x2fType\x2fXRef\x2fW\x5b[^\x5d]*?\d{7,15}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,71568; reference:cve,2014-8449; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32793; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|48 89 44 8F C1 6A C4 30 0C 44 EF 81 FD 07 E3 4B 1C 36 78 EF 0D 3D 14 4A A0 97 52 EA 0F 08 6A AC|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-8448; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:misc-activity; sid:32790; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.beginPriv"; fast_pattern:only; content:"RSS"; content:"addFeed"; within:14; content:"eval"; within:8; metadata:service smtp; reference:cve,2014-8448; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:misc-activity; sid:32789; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|48 89 44 8F C1 6A C4 30 0C 44 EF 81 FD 07 E3 4B 1C 36 78 EF 0D 3D 14 4A A0 97 52 EA 0F 08 6A AC|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-8448; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:misc-activity; sid:32788; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.beginPriv"; fast_pattern:only; content:"RSS"; content:"addFeed"; within:14; content:"eval"; within:8; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-8448; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:misc-activity; sid:32787; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"JBIG2Decode"; nocase; content:"stream"; distance:0; nocase; byte_test:1,!&,32,4,relative; byte_test:1,=,0,5,relative; byte_test:4,>,0x1000,6,relative,big; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:32786; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader ANTrustPropgateAll privilege propagation attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"|AC F5 D3 D8 7E 4F 9D C3 2E B7 C0 AD 3D 9E 87 B3 9B 87 7B 35 D7 2D 6E 80 00 03 00 B0 66 9F 01 0D 0A|endstream|0A|endobj|0D|53"; fast_pattern:only; metadata:service smtp; reference:cve,2014-8451; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32839; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader ANTrustPropgateAll privilege propagation attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|AC F5 D3 D8 7E 4F 9D C3 2E B7 C0 AD 3D 9E 87 B3 9B 87 7B 35 D7 2D 6E 80 00 03 00 B0 66 9F 01 0D 0A|endstream|0D|endobj|0D|53"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-8451; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32838; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"EI Q|0A|q|0A|"; content:" cm|0A|BI|0A|/W "; within:100; pcre:"/( cm\x0ABI\x0A\/W \x2D?\d{1,7}\x0A\/H \x2D?\d{11})|( cm\x0ABI\x0A\/W \x2D?\d{10,}\x0A\/H \x2D?\d{1,7})/"; metadata:service smtp; reference:cve,2014-9159; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32868; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"EI Q|0A|q|0A|"; content:" cm|0A|BI|0A|/W "; within:100; pcre:"/( cm\x0ABI\x0A\/W \x2D?\d{1,7}\x0A\/H \x2D?\d{11})|( cm\x0ABI\x0A\/W \x2D?\d{10,}\x0A\/H \x2D?\d{1,7})/"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-9159; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32867; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader graphics module crash attempt"; flow:to_server,established; file_data; content:"%PDF-"; depth:5; content:"/Rotate 90"; content:"/Annots"; within:150; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,71566; reference:cve,2014-8457; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32856; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader graphics module crash attempt"; flow:to_client,established; file_data; content:"%PDF-"; depth:5; content:"/Rotate 90"; content:"/Annots"; within:150; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,71566; reference:cve,2014-8457; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:32855; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader newfunction memory corruption attempt"; flow:established,to_server; flowbits:isset,file.pdf; file_data; content:"|40 E8 D4 F1 FF 33|"; fast_pattern:only; content:"/Type /EmbeddedFile"; metadata:service smtp; reference:cve,2010-2168; reference:url,www.adobe.com/support/security/bulletins/apsb10-15.html; reference:url,www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/; classtype:attempted-user; sid:33214; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader newfunction memory corruption attempt"; flow:established,to_client; flowbits:isset,file.pdf; file_data; content:"|40 E8 D4 F1 FF 33|"; fast_pattern:only; content:"/Type /EmbeddedFile"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-2168; reference:url,www.adobe.com/support/security/bulletins/apsb10-15.html; reference:url,www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/; classtype:attempted-user; sid:33213; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Subtype"; nocase; content:"/TrueType"; within:20; nocase; content:"SING"; content:!"|00 00 00 00|"; within:4; distance:8; content:"name"; content:"|00 00 00 00|"; within:4; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:33602; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Subtype"; nocase; content:"/OpenType"; within:20; nocase; content:"SING"; content:!"|00 00 00 00|"; within:4; distance:8; content:"name"; content:"|00 00 00 00|"; within:4; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:33601; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader CoolType.dll out-of-bounds memory write access attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"begincmap"; content:"beginbfrange"; distance:0; content:"<-"; within:400; content:"endbfrange"; within:400; pcre:"/beginbfrange[-<>0-9a-f\s]*<-[0-9A-F]{4,}>[-<>0-9a-f\s]*endbfrange/smi"; metadata:service smtp; reference:cve,2014-9160; classtype:attempted-user; sid:33909; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader CoolType.dll out-of-bounds memory write access attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"begincmap"; content:"beginbfrange"; distance:0; content:"<-"; within:400; content:"endbfrange"; within:400; pcre:"/beginbfrange[-<>0-9a-f\s]*<-[0-9A-F]{4,}>[-<>0-9a-f\s]*endbfrange/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-9160; classtype:attempted-user; sid:33908; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader WillSave action use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"this.setAction"; content:"WillSave"; within:20; nocase; content:"this.closeDoc(true)"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3054; reference:url,helpx.adobe.com/security/products/acrobat/apsb15-10.html; classtype:attempted-user; sid:34474; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader WillSave action use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"this.setAction"; content:"WillSave"; within:20; nocase; content:"this.closeDoc(true)"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3054; reference:url,helpx.adobe.com/security/products/acrobat/apsb15-10.html; classtype:attempted-user; sid:34473; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,6666] (msg:"FILE-PDF Foxit Reader remote query string buffer overflow attempt"; flow:to_server,established; urilen:>261; content:".pdf?"; fast_pattern:only; http_uri; pcre:"/^\x2f[^\x2e]*?\.pdf\?[^\r\n]{261}/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,57174; reference:url,retrogod.altervista.org/9sg_foxit_overflow.htm; classtype:attempted-user; sid:33087; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.removeToolButton"; fast_pattern:only; content:"app.addToolButton"; nocase; pcre:"/^\s*\x28\x7BcName\x3A\s*[\x22\x27](?P<button>\w+)[\x22\x27][^\x7D]*?cEnable\x3A\s*[\x22\x27](?P<func>\w+)\x28\w*\x29.*?\x7D\s*\x29.*?(?P=func)\s*=\s*function\s*\x28\w*\x29\x7B\s*app\x2EaddToolButton\s*\x28\s*\x7B[^\x7D]*?cEnable\x3A\s*[\x22\x27]app\x2EremoveToolButton\x28[\x22\x27](?P=button)[\x22\x27]/Ris"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,62149; reference:cve,2013-3346; reference:url,adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:30529; rev:6;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.removeToolButton"; fast_pattern:only; content:"app.addToolButton"; nocase; pcre:"/^\s*\x28\x7BcName\x3A\s*[\x22\x27](?P<button>\w+)[\x22\x27][^\x7D]+?cEnable\x3A\s*[\x22\x27](?P<func>\w+)\x28\x29.+?(?P=func)\s*=\s*function\s*[^\x7D]+?app\x2EaddToolButton\s*\x28\s*\x7B[^\x7D]+?cEnable\x3A\s*[\x22\x27]app\x2EremoveToolButton\s*\x28\s*[\x22\x27](?P=button)[\x22\x27]/Ris"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,62149; reference:cve,2013-3346; reference:url,adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:30528; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.removeToolButton"; fast_pattern:only; content:"app.addToolButton"; nocase; pcre:"/^\s*?\x28[^\x29]+?cName\s*?\x3a\s*?[\x22\x27](?P<cname>\w+)[\x22\x27].*?app\x2eaddToolButton\s*?\x28[^\x29]+?cEnable\s*?\x3a\s*?[\x22\x27](?P<removefunc>\w+?)\x28\x29.*?(?P=removefunc)\s*?=\s*?function[^\x7d]+?app\x2eremoveToolButton\s*?\x28[^\x29]*?[\x22\x27](?P=cname)/siR"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,62149; reference:cve,2013-3346; reference:url,adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:28846; rev:9;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.removeToolButton"; fast_pattern:only; content:"app.addToolButton"; nocase; pcre:"/^\s*?\x28[^\x29]+?cName\s*?\x3a\s*?[\x22\x27](?P<cname>\w+)[\x22\x27].*?app\x2eaddToolButton\s*?\x28[^\x29]+?cEnable\s*?\x3a\s*?[\x22\x27](?P<removefunc>\w+?)\x28\x29.*?(?P=removefunc)\s*?=\s*?function[^\x7d]+?app\x2eremoveToolButton\s*?\x28[^\x29]*?[\x22\x27](?P=cname)/siR"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,62149; reference:cve,2013-3346; reference:url,adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:28845; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:",$$$$|3A|(![]+|22 22|)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,62149; reference:cve,2013-3346; reference:url,adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:28844; rev:7;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:",$$$$|3A|(![]+|22 22|)"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,62149; reference:cve,2013-3346; reference:url,adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:28843; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader universal 3D stream memory corruption attempt"; flow:to_server,established; file_data; content:"|35 30 F0 00 00 00 40 01 00 00 0E 01 00 00 00 01 0E 01 00 01 00 00 00 FE 00 70 6F 63 2E 62 6D 70|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,46210; reference:cve,2011-0592; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:28790; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader universal 3D format memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|9E 88 B1 96 2B 36 6A CD F1 64 69 11 FA F1 68 A1 CC B7 07 AD 2B 97 53 65 A6 CA 05 BD 84 4A 5F 69|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,46211; reference:cve,2011-0593; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:28748; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader universal 3D format memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|9E 88 B1 96 2B 36 6A CD F1 64 69 11 FA F1 68 A1 CC B7 07 AD 2B 97 53 65 A6 CA 05 BD 84 4A 5F 69|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46211; reference:cve,2011-0593; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:28747; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|CF FA F1 A5 07 5A 3B 9A 8D DE 14 C5 9B 2F 00 6C|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:28743; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|CF FA F1 A5 07 5A 3B 9A 8D DE 14 C5 9B 2F 00 6C|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:28742; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|97 38 BC 9D C1 AA A3 E2 46 46 E7 84 0A A2 C9 88|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:28741; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|97 38 BC 9D C1 AA A3 E2 46 46 E7 84 0A A2 C9 88|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:28740; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|97 63 0B 9A 8C 47 CF 3C 33 1A 8D A4 7E B3 4D 74|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:28739; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|97 63 0B 9A 8C 47 CF 3C 33 1A 8D A4 7E B3 4D 74|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:28738; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|97 63 0B 9A C8 A3 67 9E 19 CD 8C A4 7E 73 4D 74|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:28737; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|97 63 0B 9A C8 A3 67 9E 19 CD 8C A4 7E 73 4D 74|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:28736; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|58 25 04 19 BB 69 D4 E6 BF EF 0C 51 9A 44 AB BA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:28735; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|58 25 04 19 BB 69 D4 E6 BF EF 0C 51 9A 44 AB BA|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:28734; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|B9 7E FE F2 F4 7A FC 89 5F 1F BF 7C 3D DC 1F CE|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:28733; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|B6 17 50 B4 C0 4A 71 10 04 FE F7 70 A6 8F AA AE|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service smtp; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:28732; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; content:"media.newPlayer"; pcre:"/^\x5C?\x28null\x5C?\x29/R"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:28731; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|B9 7E FE F2 F4 7A FC 89 5F 1F BF 7C 3D DC 1F CE|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:28730; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|B6 17 50 B4 C0 4A 71 10 04 FE F7 70 A6 8F AA AE|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:28729; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; content:"media.newPlayer"; pcre:"/^\x5C?\x28null\x5C?\x29/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:28728; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader ICC mluc integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|9D E4 94 99 29 73 41 2F A1 D2 57 DA F8 B0 29 44 02 5D 25 CC 92 52 54 88 C9 C2 87 AB FE D2 81 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43729; reference:cve,2010-3621; reference:cve,2010-3622; reference:url,www.adobe.com/support/security/bulletins/apsb10-21.html; classtype:attempted-user; sid:28727; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader ICC mluc integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|9D E4 94 99 29 73 41 2F A1 D2 57 DA F8 B0 29 44 02 5D 25 CC 92 52 54 88 C9 C2 87 AB FE D2 81 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43729; reference:cve,2010-3621; reference:cve,2010-3622; reference:url,www.adobe.com/support/security/bulletins/apsb10-21.html; classtype:attempted-user; sid:28726; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader ICC mluc integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"mluc|00 00 00 00|"; byte_test:4,>,357913941,0,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43729; reference:cve,2010-3621; reference:cve,2010-3622; reference:url,www.adobe.com/support/security/bulletins/apsb10-21.html; classtype:attempted-user; sid:28725; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader invalid PDF JavaScript printSeps extension call attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"|91 5F B1 8B A3 42 BF A1 D0 4B 29 45 76 56 B1 88|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2010-4091; classtype:attempted-user; sid:28723; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader invalid PDF JavaScript printSeps extension call attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|91 5F B1 8B A3 42 BF A1 D0 4B 29 45 76 56 B1 88|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-4091; classtype:attempted-user; sid:28722; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; content:"|CE 3B F7 F7 F8 7C E6 43 F7 7B D5 75 EA D4 39 B7|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,41234; reference:cve,2010-2202; classtype:attempted-user; sid:28721; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; content:"|00 80 3F 00 00 00 3F 00 14 FF FF FF 8C 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,41234; reference:cve,2010-2202; classtype:attempted-user; sid:28720; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; content:"|CE 3B F7 F7 F8 7C E6 43 F7 7B D5 75 EA D4 39 B7|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,41234; reference:cve,2010-2202; classtype:attempted-user; sid:28719; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; content:"|00 80 3F 00 00 00 3F 00 14 FF FF FF 8C 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,41234; reference:cve,2010-2202; classtype:attempted-user; sid:28718; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader compact font format memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|BC E6 7F B4 9B 5F 80 20 07 B2 4B 7A 50 76 49 30|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2985; classtype:attempted-user; sid:28717; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader compact font format memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|BC E6 7F B4 9B 5F 80 20 07 B2 4B 7A 50 76 49 30|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2985; classtype:attempted-user; sid:28716; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader embedded TTF integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|6E CB 0B 6D FD D9 81 FE E2 45 B4 B7 D8 D7 8B 78 E9 CB 1A CB 12 8C 36 1E 2A 68 A4 6F 0B E9 BA CD|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0774; reference:url,www.adobe.com/support/security/bulletins/apsb12-08.html; classtype:attempted-user; sid:28715; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader embedded TTF integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|3A F6 E1 6F AA F9 AD 54 CC FB A3 54 25 2B BF 22 B5 38 E8 74 98 E3 6F 83 1B 36 25 AD 16 D3 92 69|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0774; reference:url,www.adobe.com/support/security/bulletins/apsb12-08.html; classtype:attempted-user; sid:28714; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader embedded TTF integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|02 22 00 0A 01 DA 00 08 02 06 00 08 01 DA 00 08 40 01 00 45 40 01 02 45 63 26 E6 2B B8 00 DC 2B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0774; reference:url,www.adobe.com/support/security/bulletins/apsb12-08.html; classtype:attempted-user; sid:28713; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader embedded TTF integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|00 00 01 85 1F 72 2E 57 CB 5F 0F 3C F5 00 09 08 00 00 00 00 00 A7 BD 1E CF 00 00 00 00 B3 DE E7|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0774; reference:url,www.adobe.com/support/security/bulletins/apsb12-08.html; classtype:attempted-user; sid:28712; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded TTF integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|6E CB 0B 6D FD D9 81 FE E2 45 B4 B7 D8 D7 8B 78 E9 CB 1A CB 12 8C 36 1E 2A 68 A4 6F 0B E9 BA CD|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0774; reference:url,www.adobe.com/support/security/bulletins/apsb12-08.html; classtype:attempted-user; sid:28711; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded TTF integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|3A F6 E1 6F AA F9 AD 54 CC FB A3 54 25 2B BF 22 B5 38 E8 74 98 E3 6F 83 1B 36 25 AD 16 D3 92 69|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0774; reference:url,www.adobe.com/support/security/bulletins/apsb12-08.html; classtype:attempted-user; sid:28710; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Universal 3D stream memory corruption attempt"; flow:to_server,established; file_data; content:"|24 89 12 21 8A 0A 1E F8 F5 DE 99 66 66 79 6F 1F 4F C4 58 CB 15 9B B4 E6 78 B2 D4 08 ED 70 B0 50|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,46210; reference:cve,2011-0592; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:28709; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader known malicious variable exploit attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|92 5F 45 AB 6D BF F6 22 80 C4 C8 3B 9C 00 03 0E 70 21 9D AF D7 CD F9 2C F1 8A 1A CF CA 38 1A C9|"; fast_pattern:only; content:"|2F|JavaScript"; content:"|2F|XFA"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0640; reference:cve,2013-0641; reference:url,www.adobe.com/support/security/advisories/apsa13-02.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-07.html; classtype:attempted-admin; sid:28659; rev:6;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XML Java used in app.setTimeOut"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|92 5F 45 AB 6D BF F6 22 80 C4 C8 3B 9C 00 03 0E 70 21 9D AF D7 CD F9 2C F1 8A 1A CF CA 38 1A C9|"; fast_pattern:only; content:"|2F|JavaScript"; content:"|2F|XFA"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57931; reference:cve,2013-0640; reference:cve,2013-0641; reference:url,www.adobe.com/support/security/advisories/apsa13-02.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-07.html; classtype:attempted-admin; sid:28658; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|89 C1 37 DE 9B 88 37 8C BC F7 E6 DE B6 9F EE BC 5B 56 A6 7E F4 63 F4 06 2B 65 CF 0F F8 55 24 DD|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28657; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|4B 7B 02 7C 44 8D C4 E0 1B EF 4D C4 1B 46 DE 7B 73 6F DB 4F 77 DE 2D 2B 53 3F FA 31 7A 83 95 B2|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28656; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|82 BC 7C C4 25 39 11 0F 10 24 45 03 AB C1 4F EF 9D E2 03 4C 52 4A F4 68 DB 6F 57 1F D6 15 35 CF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28655; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|A0 19 0D 38 07 BF 7C 6F 32 3E C0 48 55 E9 D1 B6 DF EE BC 5B D6 D4 3C FB 31 E4 0E AC 04 7B FC 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28654; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|52 88 04 96 95 30 4B 4A 51 21 26 0F 1F 65 F5 97 0E 04 F8 88 06 89 C1 37 DE 9B 88 37 4C BC F7 E6|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28653; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|27 22 24 34 48 0A BE E9 5E 27 BC 61 14 42 30 F7 B6 FD 74 A7 ED A2 36 CD A3 1F A3 37 58 2A 3B 7E|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28652; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|24 06 DF 78 6F 22 DE 30 F2 DE 9B 7B DB 7E BA F3 6E 59 99 FA D1 8F D1 1B AC 94 3D 3F D5 A2 24 A6|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28651; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|AC F8 4B 07 3C 5C 40 8D 84 E0 1B EE 6D C0 1B 26 CE 39 73 6F DB 4F 7F D9 AF 2A 53 3F 86 29 7A 83|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28650; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|37 DE 9B 88 37 8C BC F7 E6 DE B6 9F EE BC 5B 56 A6 7E F4 63 F4 06 2B 65 CF 0F F9 CF 24 E0 0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28649; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|1E AD 04 F3 FD 49 AA D2 67 08 9E B2 82 21 77 AD E4 9D 36 51 37 BE 08 CA E0 72 CC 92 52 E4 4B CA|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28648; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|42 4C 42 84 28 2A B8 E0 D7 BB CB 35 EF 2D 33 3B 78 C1 93 73 E8 E0 4C 3B 5C AE 0E 37 78 F4 E3 D1|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28647; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|8A 4D 5A 71 38 5A CE 08 DD 70 30 57 A6 9B BD D6 E2 1D 55 61 AA 99 A0 97 58 E9 2B 6F 42 DC 38 91|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28646; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|13 3B 53 54 1C 47 8E 03 99 B7 AF C3 65 06 A8 0A D5 64 93 C4 E7 3F BF CF 77 7C 99 F6 A2 37 8D D1|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28645; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|0D 0A 78 9C 33 D0 33 54 28 E7 2A 54 30 50 D0 35 00 32 CD 0C 8D 80 A4 B9 25 88 2C 4A 55 08 D7 52|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28644; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat TrueType font handling remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|78 DA ED CC B1 4B D4 61 1C C7 F1 CF D3 5D 1E 48 10 88 20 0D E2 21 DE EE 70 39 B9 FC 2C FA 07 74|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,39417; reference:cve,2010-0195; classtype:attempted-admin; sid:28643; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat TrueType font handling remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|78 DA ED CC B1 4B D4 61 1C C7 F1 CF D3 5D 1E 48 10 88 20 0D E2 21 DE EE 70 39 B9 FC 2C FA 07 74|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,39417; reference:cve,2010-0195; classtype:attempted-admin; sid:28642; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader CoolType.dll glyf directory table buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|72 65 61 6D 0D 0A 78 DA 65 52 DB 6A C3 30 0C 7D CF 57 E8 07 56 CB B1 13|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49581; reference:cve,2011-2441; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:28639; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader CoolType.dll glyf directory table buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|72 65 61 6D 0D 0A 78 DA 65 52 DB 6A C3 30 0C 7D CF 57 E8 07 56 CB B1 13|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49581; reference:cve,2011-2441; reference:url,www.adobe.com/support/security/bulletins/apsb11-tml; classtype:attempted-user; sid:28638; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader CoolType.dll glyf directory table buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|78 DA 35 CD 51 0A C2 30 0C 06 E0 F7 9C 22 17 B0 4D BA B5 36|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49581; reference:cve,2011-2441; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:28635; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader CoolType.dll composite glyf buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|78 DA 35 CD 51 0A C2 30 0C 06 E0 F7 9C 22 17 B0 4D BA B5 36|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49581; reference:cve,2011-2441; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:28634; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Universal 3D stream memory corruption attempt"; flow:to_client,established; file_data; content:"|24 89 12 21 8A 0A 1E F8 F5 DE 99 66 66 79 6F 1F 4F C4 58 CB 15 9B B4 E6 78 B2 D4 08 ED 70 B0 50|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46210; reference:cve,2011-0592; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:28633; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat universal 3D format memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|88 C2 62 23 16 92 44 89 10 45 05 0F FC 7A EF BC 66 66 79 6F 1F 4F C4 58 CB 15 1B B5 E6 78 B2 34 08|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0599; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:28628; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat universal 3D format memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|7F 98 52 0B CF DB 04 72 49 2B 1A 1B 11 85 C5 46 2C 24 89 12 21 8A 0A 1E F8 F5 DE 79 CD CC F2 DE 3E 9E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0599; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:28627; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat and Adobe Acrobat Reader U3D RHAdobeMeta buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|12 E7 1B E8 3B 33 C0 10 08 59 8C 06 03 21 7B 4C 04 D1 98 C4 2C 20 26 C6 98 28 88 9A 44 8D 82 18 93 68 54 10 35 44 45|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35282; reference:cve,2009-1855; reference:url,adobe.com/support/security/bulletins/apsb09-07.html; classtype:attempted-user; sid:28626; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader U3D rgba parsing overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|85 C4 18 12 88 A2 82 0B 7E BD BB 6E 73 CE 70 EF 5C 9E 88 B1 96 06 1B B4 E1 74 B6 5C 11 DA E1 60|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46209; reference:cve,2011-0591; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:28625; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|A5 54 0B 58 4C EB 1A 5E DD 91 4A 37 49 84 6A EB B2 0B 35 63 D3 C5 5A B3 96 C8 A5 0B 51 51 A8 76 25 A2 D4 8E|"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2462; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:attempted-user; sid:28622; rev:7;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|19 33 66 CC 98 31 63 C6 8C 19 33 66 CC 98 31 63 C6 8C 19 33 66 D9 CC 34 B0 5B 66 CC 98 31 63 C6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:28621; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader OTF font head table size overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf&file.ttf; file_data; content:"head"; content:"hhea"; within:4; distance:12; byte_test:4,>,54,-8,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-3353; reference:url,www.adobe.com/support/security/bulletins/apsb13-21.html; classtype:attempted-user; sid:28586; rev:8;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader OTF font head table size overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf&file.ttf; file_data; content:"head"; content:"hhea"; within:4; distance:12; byte_test:4,>,54,-8,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-3353; reference:url,www.adobe.com/support/security/bulletins/apsb13-21.html; classtype:attempted-user; sid:28585; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat font parsing integer overflow attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|00 0A 00 00 02 00|"; fast_pattern; content:"|00 01 00 00|"; within:4; distance:4; content:"|00 01 00 00|"; within:4; distance:-20; byte_test:2,>=,0xfff8,-8,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,42203; reference:cve,2010-2862; reference:url,www.adobe.com/support/security/bulletins/apsb10-17.html; classtype:attempted-user; sid:28462; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat font parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|00 0A 00 00 02 00|"; fast_pattern; content:"|00 01 00 00|"; within:4; distance:4; content:"|00 01 00 00|"; within:4; distance:-20; byte_test:2,>=,0xfff8,-8,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42203; reference:cve,2010-2862; reference:url,www.adobe.com/support/security/bulletins/apsb10-17.html; classtype:attempted-user; sid:28461; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader compressed media.newPlayer memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|26 EA A7 7C 9A 1D C4 1C FE 26 7F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-4324; classtype:attempted-user; sid:28454; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat universal 3D format memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|30 45 46 46 45 43 35 30 F0 00 00 00 40 01 00 00 0E 01 00 00 00 01 0E 01 00 01 00 00 00 FE 00 70 6F 63 2E 70 73 64|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,46211; reference:cve,2011-0593; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:28427; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat universal 3D format memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"0EFFEC50|F0 00 00 00 40|"; content:"z|3A 5C|hacking|5C|adobe|5C|u3d|5C|images|5C|one.bmp"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0599; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:28426; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat TrueType font handling remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|8B FC 00 00 00 24 6D 61 78 70 30 95 05 06 00 01 CF BC 00 00 00 20 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,39417; reference:cve,2010-0195; classtype:attempted-admin; sid:28389; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat TrueType font handling remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|8B FC 00 00 00 24 6D 61 78 70 30 95 05 06 00 01 CF BC 00 00 00 20 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,39417; reference:cve,2010-0195; classtype:attempted-admin; sid:28388; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_server,established; file_data; content:"|35 3E 5D 0A 3E 3E 0A 73 74 61 72 74 78 72 65 66 0A 32 34 36 31 32 35 0A 25 25 45 4F 46 0A 0D 0A 25 53 49 47 4E 41 54 55 52 45 3A 20 E2 DA 47 7E AC 80 D7 7E AB 80|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28380; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|74 2B 63 7F 6D 09 50 46 0C 9D 0E 0C 10 11 12 17 14 15 E9 E8 18 19 1A A3 1C 1D 1E 1F 20 21 22 63|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28379; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|74 2B 63 7F 6D 09 50 46 0C 9D 0E 0C 10 11 12 17 14 15 E9 E8 18 19 1A A3 1C 1D 1E 1F 20 21 22 63|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28378; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|56 06 06 96 75 0C 02 0C 08 20 C0 C0 02 14 65 61 E0 98 00 E2 CD 5F 26 F2 8E 6F 35 AF B3 A8 3E 9F|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28377; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|56 06 06 96 75 0C 02 0C 08 20 C0 C0 02 14 65 61 E0 98 00 E2 CD 5F 26 F2 8E 6F 35 AF B3 A8 3E 9F|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28376; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_server,established; file_data; content:"10 0 obj"; content:"65932>>"; within:200; content:"|78 9C D4 BD|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28375; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/FontDescriptor"; content:"/Length1 65932"; distance:0; content:"|78 DA EC BD 09 78 54 45 F6 38 5A 75 EB AE BD 77 27 9D 7D E9 EC 04 02 09 09 5B D8 D2 49 48 20 10 92|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:28374; rev:6;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|CF 6A F7 2A 77 3C DE F1 11 75 33 D3 94 74 4A 14 73 4B 18 A1 66 C2 0F DE 3D ED 19 D4 32 2E B6 11|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2462; reference:cve,2015-3070; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:attempted-user; sid:28361; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat and Adobe Acrobat Reader U3D RHAdobeMeta buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|48 89 EC 55 7B 4C 53 69 16 BF 3C 2C F4 21 A0 C2 95 96 0B 5C 0A 22 BD 76 78 8A D8 5A 40 1E 22 2D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35282; reference:cve,2009-1855; reference:url,adobe.com/support/security/bulletins/apsb09-07.html; classtype:attempted-user; sid:28303; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader CoolType.dll composite glyf buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|C3 A6 1D 01 00 00 08 D8 00 00 06 31 67 6C 79 66 19 37 28 6D 00 00 0F 09 00 00 01 B0 68 65 61 64|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49581; reference:cve,2011-2441; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:28266; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader CoolType.dll glyf directory table buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|00 18 00 1D 00 23 00 28 00 2E 00 32 00 34 00 38 00 3A 00 3F 00 45 00 49 00 4B 00 50 00 56 00 5B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49581; reference:cve,2011-2441; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:28262; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader ICC mluc integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|5A 49 41 57 4F 51 55 42 71 EB BF 7F FC D7 E7 EB 3C 89 02 FF 7F 8B 97 F4 7F FE D9 E1 F4 D7 30 89|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43729; reference:cve,2010-3621; reference:cve,2010-3622; reference:url,www.adobe.com/support/security/bulletins/apsb10-21.html; classtype:attempted-user; sid:28261; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader ICC remote memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|CA 32 31 99 3A F5 D0 21 63 E3 E1 C3 B3 B2 CC CD 7B F7 CE CC 44 55 39 70 00 BB 77 2F 2F 0A E1 23|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43726; reference:cve,2010-3621; reference:url,www.adobe.com/support/security/bulletins/apsb10-21.html; classtype:attempted-user; sid:28260; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader ICC remote memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|CA 32 31 99 3A F5 D0 21 63 E3 E1 C3 B3 B2 CC CD 7B F7 CE CC 44 55 39 70 00 BB 77 2F 2F 0A E1 23|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43726; reference:cve,2010-3621; reference:url,www.adobe.com/support/security/bulletins/apsb10-21.html; classtype:attempted-user; sid:28257; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader ICC mluc integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|5A 49 41 57 4F 51 55 42 71 EB BF 7F FC D7 E7 EB 3C 89 02 FF 7F 8B 97 F4 7F FE D9 E1 F4 D7 30 89|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43729; reference:cve,2010-3621; reference:cve,2010-3622; reference:url,www.adobe.com/support/security/bulletins/apsb10-21.html; classtype:attempted-user; sid:28256; rev:6;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"AAAC/wAAAu0AABNBQkNERUZHSElQSUhHRkVEQ0JB|0A|UAAB|0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:28252; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader util.printf buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|2F|S|2F|JavaScript|2F|JS"; content:"|6B DC 56 10 7D AE C1 FF 41 18 0C 36 4E 6C 5D CD|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30035; reference:cve,2008-2992; classtype:attempted-user; sid:27233; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader util.printf buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|2F|S |2F|JavaScript|0A 2F|JS"; content:"|6E 1B 37 10 7D D7 57 2C 0C 18 B0 61 27 18 DE B9|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,30035; reference:cve,2008-2992; classtype:attempted-user; sid:27232; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|F6 EC D9 B3 67 CF 9E 3D 7B F6 EC D9 B3 67 CF 9E 3D 7B F6 EC D9 B3 67 CF 9E 3D 7B F6 EC D9 B3 67|"; fast_pattern:only; pcre:"/\xF6\xEC\xD9\xB3\x67\xCF\x9E\x3D\x7B(\xF6\xEC\xD9\xB3\x67\xCF\x9E\x3D\x7B){500}/m"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26928; rev:11;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|F6 EC D9 B3 67 CF 9E 3D 7B F6 EC D9 B3 67 CF 9E 3D 7B F6 EC D9 B3 67 CF 9E 3D 7B F6 EC D9 B3 67|"; fast_pattern:only; pcre:"/\xF6\xEC\xD9\xB3\x67\xCF\x9E\x3D\x7B(\xF6\xEC\xD9\xB3\x67\xCF\x9E\x3D\x7B){500}/m"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26927; rev:11;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_server,established; file_data; content:"|C6 1D 00 E0 F7 FE 14 37 BD 08 6C 38 FA 1B 3B 69 62 2B 81 EB A6 5D 86 0D 68 96 74 2F 86 01 05 2D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26652; rev:11;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_client,established; file_data; content:"|C6 1D 00 E0 F7 FE 14 37 BD 08 6C 38 FA 1B 3B 69 62 2B 81 EB A6 5D 86 0D 68 96 74 2F 86 01 05 2D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26651; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF PDF with large embedded JavaScript - JS string attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction <<"; content:"/JS"; within:15; fast_pattern; nocase; isdataat:1000,relative; content:!"endobj"; within:1000; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:26513; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,6666] (msg:"FILE-PDF Foxit Reader remote query string buffer overflow attempt"; flow:to_server,established; content:".pdf?"; fast_pattern:only; pcre:"/^GET\s+?\x2f[^\x2e]*?\.pdf\?[^\r\n]{512}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,57174; reference:url,retrogod.altervista.org/9sg_foxit_overflow.htm; classtype:attempted-user; sid:26283; rev:8;)
# alert tcp $EXTERNAL_NET [$HTTP_PORTS,6666] -> $HOME_NET any (msg:"FILE-PDF Foxit Reader remote query string buffer overflow attempt"; flow:to_client,established; content:".pdf?"; fast_pattern:only; content:"Location:"; offset:12; nocase; pcre:"/^Location\x3a\s*?[^\x2e]*?\.pdf\?[^\r\n]{512}/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,57174; reference:url,retrogod.altervista.org/9sg_foxit_overflow.htm; classtype:attempted-user; sid:26282; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,6666] (msg:"FILE-PDF Foxit Reader remote query string buffer overflow attempt"; flow:to_server,established; content:".pdf?"; fast_pattern:only; http_uri; pcre:"/^\x2f[^\x2e]*?\.pdf\?[^\r\n]{512}/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,57174; reference:url,retrogod.altervista.org/9sg_foxit_overflow.htm; classtype:attempted-user; sid:26281; rev:8;)
# alert tcp $EXTERNAL_NET [$HTTP_PORTS,6666] -> $HOME_NET any (msg:"FILE-PDF Foxit Reader remote query string buffer overflow attempt"; flow:to_client,established; content:".pdf?"; fast_pattern:only; http_header; pcre:"/^Location\x3a[^\x2e]*?\.pdf\?[^\r\n]{512}/Him"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,57174; reference:url,retrogod.altervista.org/9sg_foxit_overflow.htm; classtype:attempted-user; sid:26280; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-PDF PDF version 1.1 with FlateDecode embedded - seen in exploit kits"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.1"; content:"/FlateDecode"; distance:0; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:26231; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Flash Player memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|63 2F 55 46 28 70 6F 63 2E 73 77 66 29 3E 3E 0D|"; content:"|3C 2F 43 68 65 63 6B 53 75 6D 3C 31 36 43 44 45 32 43 39 44 38 41 44 37 37 30 35 46 41 32 31 36 46 31 33 34 46 41 46 37 38 35 30 3E 2F 43 72 65|"; within:48; distance:112; metadata:policy max-detect-ips drop, service smtp; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:26113; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF transfer of a PDF with OpenAction object attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"obj"; nocase; content:"<<"; within:4; content:"/OpenAction"; distance:0; nocase; pcre:"/obj[\s\x0d\x0a]{0,2}<<[^>]*\x2fOpenAction/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-8450; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:26078; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF transfer of a PDF with embedded JavaScript - JavaScript object detected"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"obj"; nocase; content:"<<"; within:4; content:"/JavaScript"; distance:0; nocase; pcre:"/obj[\s\x0d\x0a]{0,2}<<[^>]*\x2fJavaScript/smi"; metadata:policy max-detect-ips drop, service smtp; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:26077; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF download of a PDF with embedded JavaScript - JS string attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"obj"; nocase; content:"<<"; within:4; content:"/JS"; distance:0; fast_pattern; nocase; pcre:"/obj[\s\x0d\x0a]{0,2}<<[^>]*?\x2fJS[\s<>]/smi"; metadata:policy max-detect-ips drop, service smtp; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:26076; rev:6;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA app.setTimeOut memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.setTimeOut"; fast_pattern:only; content:"|2F|JavaScript"; content:"|2F|XFA"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,57931; reference:cve,2013-0640; reference:cve,2013-0641; reference:cve,2016-6946; reference:cve,2017-2961; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.adobe.com/support/security/advisories/apsa13-02.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-07.html; classtype:attempted-admin; sid:26021; rev:12;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader known malicious variable exploit attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction"; content:"/JS "; within:100; content:"|5C|n"; within:10; content:"|3B 5C|n"; within:30; fast_pattern; content:"|5C|n"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-0640; reference:cve,2013-0641; reference:url,www.adobe.com/support/security/advisories/apsa13-02.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-07.html; classtype:attempted-admin; sid:25819; rev:12;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader known malicious variable exploit attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction"; content:"/JS "; within:100; content:"ROP_ADD_ESP_4 = "; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0640; reference:cve,2013-0641; reference:url,www.adobe.com/support/security/advisories/apsa13-02.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-07.html; classtype:attempted-admin; sid:25818; rev:12;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat font parsing integer overflow attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|00 0A 00 00 02 00|"; fast_pattern; content:"|00 01 00 00|"; within:4; distance:4; content:"|00 02|"; within:2; distance:-20; content:!"|00 00|"; within:2; byte_test:2,>=,0xfff8,-6,relative; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,42203; reference:cve,2010-2862; reference:url,www.adobe.com/support/security/bulletins/apsb10-17.html; classtype:attempted-user; sid:24508; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat font parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|00 0A 00 00 02 00|"; fast_pattern; content:"|00 01 00 00|"; within:4; distance:4; content:"|00 02|"; within:2; distance:-20; content:!"|00 00|"; within:2; byte_test:2,>=,0xfff8,-6,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42203; reference:cve,2010-2862; reference:url,www.adobe.com/support/security/bulletins/apsb10-17.html; classtype:attempted-user; sid:24507; rev:14;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Microsoft Windows kernel-mode drivers core font parsing integer overflow attempt"; flow:to_server,established; flowbits:isset,file.eot|file.pdf|file.otf|file.ttf; file_data; content:"hmtx"; content:"cmap"; content:"head"; pcre:"/(cmap|head|hmtx|hhea|maxp|name|OS\x2F2|post).{4}([\x80-\xFF]|.{4}[\x80-\xFF])/s"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,36029; reference:bugtraq,42203; reference:cve,2009-2514; reference:cve,2010-2862; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-065; classtype:attempted-admin; sid:24487; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Microsoft Windows kernel-mode drivers core font parsing integer overflow attempt"; flow:to_server,established; flowbits:isset,file.eot|file.pdf|file.otf|file.ttf; file_data; content:"OTTO"; content:"hmtx"; content:"cmap"; content:"hhea"; content:!"hhea"; within:20; byte_test:4,>=,0x80000000,4,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2514; reference:cve,2010-2862; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-065; classtype:attempted-admin; sid:24486; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Microsoft Windows kernel-mode drivers core font parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.eot|file.pdf|file.otf|file.ttf; file_data; content:"OTTO"; content:"hmtx"; content:"cmap"; content:"hhea"; content:!"hhea"; within:20; byte_test:4,>=,0x80000000,4,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2514; reference:cve,2010-2862; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-065; classtype:attempted-admin; sid:24485; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Overly large CreationDate within a pdf - likely malicious"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/CreationDate("; isdataat:500,relative; content:")>>"; distance:0; pcre:"/\/CreationDate\x28[^\x3c\x29]{500}/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24263; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Sending of a PDF with embedded JavaScript - JS string attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"obj"; nocase; content:"<<"; within:4; content:"/JS"; distance:0; fast_pattern; nocase; pcre:"/obj[\s\x0d\x0a]{0,2}<<[^>]*?\x2fJS[\s<>]/smi"; metadata:policy max-detect-ips drop, service smtp; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:23897; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<</Type/GEOGCS"; fast_pattern; content:"/WKT|28|"; within:15; isdataat:1024,relative; content:!">"; within:1024; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23890; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<</Type/PROJCS"; fast_pattern; content:"/WKT|28|"; within:15; isdataat:1024,relative; content:!">"; within:1024; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23889; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"stream|0A|U3D"; fast_pattern:only; content:"|14 FF FF FF|"; content:"|55 FF FF FF|"; distance:0; byte_jump:2,8,relative,little,post_offset 9; byte_test:4,>=,0x1,0,relative,little; content:"|00 0E 01 00|"; within:4; distance:4; byte_test:2,>,0x260,4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,55024; reference:cve,2012-2049; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:23880; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream|0A|U3D"; fast_pattern:only; content:"|14 FF FF FF|"; content:"|55 FF FF FF|"; distance:0; byte_jump:2,8,relative,little,post_offset 9; byte_test:4,>=,0x1,0,relative,little; content:"|00 0E 01 00|"; within:4; distance:4; byte_test:2,>,0x260,4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,55024; reference:cve,2012-2049; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:23879; rev:11;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader getAnnots exploit attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"getAnnots"; nocase; pcre:"/getAnnots\x5C?\([^\x29\x2C]+\x2C\s*[^\x29\x2C]+\x2C\s*[^\x29\x2C]+\x2C\s*-\d/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,34736; reference:cve,2009-1492; classtype:attempted-user; sid:23504; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe flash player newfunction memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:" (lolol|5C|056swf)"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1297; classtype:attempted-user; sid:23263; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF EmbeddedFile contained within a PDF"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/EmbeddedFile"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:23041; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded TTF integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|02 22 00 0A 01 DA 00 08 02 06 00 08 01 DA 00 08 40 01 00 45 40 01 02 45 63 26 E6 2B B8 00 DC 2B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0774; reference:url,www.adobe.com/support/security/bulletins/apsb12-08.html; classtype:attempted-user; sid:22938; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded TTF integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|00 00 01 85 1F 72 2E 57 CB 5F 0F 3C F5 00 09 08 00 00 00 00 00 A7 BD 1E CF 00 00 00 00 B3 DE E7|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0774; reference:url,www.adobe.com/support/security/bulletins/apsb12-08.html; classtype:attempted-user; sid:21878; rev:11;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/U3D"; content:"|C8 FF FF FF 6B 18 21 7C 4E 06 67 20 70 CA AF 30|"; distance:0; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2462; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:attempted-user; sid:21253; rev:12;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:" obj |0A|<<|0A|"; content:"/Subtype /U3D|0A|"; within:50; fast_pattern; content:"Length"; distance:0; byte_extract:4,1,length,relative,string,dec; content:"/Type /3D|0A|>>|0A|stream|0A|"; within:20; distance:1; content:"|45 FF FF FF|"; within:length; byte_jump:2,8,relative,little; byte_test:4,>,0,8,relative; byte_test:4,=,0,12,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2462; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:attempted-user; sid:20659; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malicious TIFF remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|3C 3C 2F 23 34 36 23 36 39 6C 23 37 34 23 36 35 23 37 32 2F|"; content:"stream|0D 0A 78 9C A5 7B|"; nocase; content:"|93 A3|"; within:2; distance:1; content:"|B6 E6 7B FF 8A|"; within:5; distance:1; content:"|B7|"; within:1; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0188; reference:url,www.securityfocus.com/bid/38195/exploit; classtype:attempted-user; sid:20577; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader CoolType.dll composite glyf buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|C3 A6 1D 01 00 00 08 D8 00 00 06 31 67 6C 79 66 19 37 28 6D 00 00 0F 09 00 00 01 B0 68 65 61 64|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49581; reference:cve,2011-2441; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20155; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader CoolType.dll glyf directory table buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|00 18 00 1D 00 23 00 28 00 2E 00 32 00 34 00 38 00 3A 00 3F 00 45 00 49 00 4B 00 50 00 56 00 5B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49581; reference:cve,2011-2441; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20154; rev:14;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF attempted download of a PDF with embedded Flash"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"stream"; nocase; pcre:"/stream[\x0A\x0D]{1,2}[CF]WS/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35758; reference:bugtraq,41237; reference:bugtraq,44503; reference:cve,2009-1862; reference:cve,2010-2201; reference:cve,2010-3654; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:policy-violation; sid:19269; rev:14;)
# alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"FILE-PDF attempted download of a PDF with embedded Flash"; flow:to_client,established; content:"stream"; nocase; pcre:"/stream[\x0A\x0D]{1,2}[CF]WS/i"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,35759; reference:bugtraq,41237; reference:bugtraq,44503; reference:cve,2009-1862; reference:cve,2010-2201; reference:cve,2010-3654; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:policy-violation; sid:19268; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader script injection vulnerability"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"(j)"; content:"(a)"; within:10; distance:5; content:"(v)"; within:10; distance:5; fast_pattern; content:"(a)"; within:10; distance:5; content:"(s)"; within:10; distance:5; content:"(c)"; within:10; distance:5; content:"(r)"; within:10; distance:5; content:"(i)"; within:10; distance:5; content:"(p)"; within:10; distance:5; content:"(t)"; within:10; distance:5; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-3956; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; classtype:attempted-user; sid:19118; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed U3D integer overflow"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/FlateDecode/Length 96729/Subtype/U3D/Type/3D/VA"; content:"/TYPE/3DView/XN(DefaultView)>>]>>stream|0D 0A 78 DA AC DD 05|"; within:46; distance:114; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-3959; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:19117; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|63 2F 55 46 28 70 6F 63 2E 73 77 66 29 3E 3E 0D|"; content:"|3C 2F 43 68 65 63 6B 53 75 6D 3C 31 36 43 44 45 32 43 39 44 38 41 44 37 37 30 35 46 41 32 31 36 46 31 33 34 46 41 46 37 38 35 30 3E 2F 43 72 65|"; within:48; distance:112; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19082; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/FontDescriptor"; content:"/Length1 65932"; distance:0; content:"|78 54 45 F6 38 5A 75 EB AE BD 77 27 9D 7D E9 EC 04 02 09 09 01 C2 96 4E 42 02 81 10 22 84 55 C1 84 6C 04|"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:18991; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/FontDescriptor"; content:"/Length1 65932"; distance:0; content:"|78 9C EC BD 09 78 54 45 F6 38 5A 75 EB AE BD 77 27 9D 7D E9 EC 04 02 09 09 5B D8 D2 49 48 20 10 92|"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:18990; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/FontDescriptor"; content:"/Length1 65932"; distance:0; content:"|78 DA EC BD 09 78 54 45 F6 38 5A 75 EB AE BD 77 27 9D 7D E9 EC 04 02 09 09 5B D8 D2 49 48 20 10 92|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:18989; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; file_data; content:"10 0 obj"; content:"65932>>"; within:200; content:"|78 9C D4 BD|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:18988; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Subtype"; nocase; content:"/TrueType"; within:20; nocase; content:"name"; content:"|00 00 00 00|"; within:4; distance:8; content:"SING"; content:!"|00 00 00 00|"; within:4; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:18987; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Subtype"; nocase; content:"/OpenType"; within:20; nocase; content:"name"; content:"|00 00 00 00|"; within:4; distance:8; content:"SING"; content:!"|00 00 00 00|"; within:4; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43057; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:18986; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JpxDecode invalid crgn memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"jp2c|FF 4F|"; content:"|FF 5E 00|"; distance:0; pcre:"/\xff\x5e\x00(\x05[\x80-\xff]|\x06\x00[\x80-\xff]|\x06[^\x00])/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37757; reference:cve,2009-3955; classtype:attempted-user; sid:18801; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF transfer of a PDF with OpenAction object attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"obj"; nocase; content:"<<"; within:4; content:"/OpenAction"; distance:0; nocase; pcre:"/obj[\s\x0d\x0a]{0,2}<<[^>]*\x2fOpenAction/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8450; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18682; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF transfer of a PDF with embedded JavaScript - JavaScript object detected"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"obj"; nocase; content:"<<"; within:4; content:"/JavaScript"; distance:0; nocase; pcre:"/obj[\s\x0d\x0a]{0,2}<<[^>]*\x2fJavaScript/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18681; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader util.printf buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|2F|S|2F|JavaScript|2F|JS"; nocase; content:"|ED 54 CB 6E 13 41 10 BC FB 2B 46 91 AC D8 72 88|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-2992; classtype:attempted-user; sid:18596; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed TIFF remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"jNLjwFWnTvuP9HG9OL+q916q915//n</image"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0188; reference:url,www.adobe.com/support/security/bulletins/apsb10-07.html; classtype:attempted-user; sid:18585; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader CCITT stream compression filter invalid image size heap overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|2F|CCITTFaxDecode"; nocase; content:"|2F|Columns"; within:500; nocase; byte_test:10,>,65535,0,relative,string; pcre:"/\x2FCCITTFaxDecode[^\x3E]*\x2fColumns\s+\d{5}/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46199; reference:cve,2011-0567; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18507; rev:20;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader CCITT stream compression filter invalid image size heap overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|2F|CCF"; nocase; content:"|2F|Columns"; within:500; nocase; byte_test:10,>,65535,0,relative,string; pcre:"/\x2FCCF[^\x3E]*\x2fColumns\s+\d{5}/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46199; reference:cve,2011-0567; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18506; rev:20;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader U3D rgba parsing overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|0E 01 00 00 00 01 0E 01 00 01 00 00 00 FE 00 70 6F 63 2E 72 67 62 61|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46209; reference:cve,2011-0591; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18457; rev:19;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat universal 3D format memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"0EFFEC50|F0 00 00 00 40|"; content:"z|3A 5C|hacking|5C|adobe|5C|u3d|5C|images|5C|one.bmp"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0599; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18454; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat universal 3D format memory corruption attempt"; flow:to_client,established; file_data; content:"|30 45 46 46 45 43 35 30 F0 00 00 00 40 01 00 00 0E 01 00 00 00 01 0E 01 00 01 00 00 00 FE 00 70 6F 63 2E 70 73 64|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46211; reference:cve,2011-0593; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18453; rev:22;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat ICC color integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|2F|ICCBased"; nocase; content:"id=|22|W5M0MpCehiHzreSzNTczkc9d"; distance:0; nocase; content:"|78 9C 94 DA 07 50 53 5D FB 28 FA A8 28 2A 62 41 11 15 45|"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46219; reference:cve,2011-0598; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18451; rev:20;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed BMP RGBQUAD attempt"; flow:to_client, established; flowbits:isset,file.bmp; file_data; content:"BM|37 00 00 00 00 00 00 00 36 04 00 00 28 00 00 00|"; fast_pattern:only; pcre:"/\xFF\x41$/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-0596; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18450; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Universal 3D stream memory corruption attempt"; flow:to_client,established; file_data; content:"|35 30 F0 00 00 00 40 01 00 00 0E 01 00 00 00 01 0E 01 00 01 00 00 00 FE 00 70 6F 63 2E 62 6D 70|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,46210; reference:cve,2011-0592; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18448; rev:21;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader ICC mluc integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"mluc|00 00 00 00|"; byte_test:4,>,357913941,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43729; reference:cve,2010-3621; reference:cve,2010-3622; reference:url,www.adobe.com/support/security/bulletins/apsb10-21.html; classtype:attempted-user; sid:18308; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader invalid PDF JavaScript printSeps extension call attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"printSeps"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,44638; reference:cve,2010-4091; reference:url,www.adobe.com/support/security/bulletins/apsb10-28.html; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-admin; sid:18102; rev:20;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF download of a PDF with embedded JavaScript - JS string attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"obj"; nocase; content:"<<"; within:4; content:"/JS"; distance:0; fast_pattern; nocase; pcre:"/obj[\s\x0d\x0a]{0,2}<<[^>]*?\x2fJS[\s<>]/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:17668; rev:17;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-PDF CUPS and Xpdf JBIG2 symbol dictionary buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"JBIG2Decode"; content:"|03 FF FD FF 02 FE FE FE 00 00 00 36 FF FF FF F0 94 6B 62 1B|"; within:1000; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0195; reference:url,www.cups.org/str.php?L3129; classtype:attempted-user; sid:17641; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat and Adobe Acrobat Reader U3D RHAdobeMeta buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|48 89 EC 55 7B 4C 53 69 16 BF 3C 2C F4 21 A0 C2 95 96 0B 5C 0A 22 BD 76 78 8A D8 5A 40 1E 22 2D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35282; reference:cve,2009-1855; reference:url,adobe.com/support/security/bulletins/apsb09-07.html; classtype:attempted-user; sid:17526; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF BitDefender Antivirus PDF processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|25 50 44 46 2D 31 2E 33 0A 25 E2 E3 CF D3 0A 33|"; depth:16; content:"|3C 3C 2F 46 69 6C 74 65 72 20 5B 2F 46 6C 61 74 65 44 65 63 6F 64 65 20 2F 41 53 43 49 49 48 65 78 44 65 63 6F 64 65 5D|"; within:40; distance:8; content:"|78 9C ED C2 31 0D 00 00 00 02 A0 4C 6E F6 CF 66 0D 0F 06 4D 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 30 4B 03 6A 32|"; within:45; distance:22; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32396; reference:cve,2008-5409; classtype:attempted-user; sid:17430; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader PDF Catalog Handling denial of service attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"3 0 obj|0D 3C 3C 20 0D|/Type /Pages|20 0D|"; fast_pattern; nocase; content:"/Kids|20 5B 20|3 0 R |5D|"; within:15; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,21910; reference:cve,2007-0104; reference:url,projects.info-pull.com/moab/MOAB-06-01-2007.html; classtype:attempted-user; sid:17361; rev:16;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TTF SING table parsing remote code execution attempt"; flow:to_client,established; file_data; content:"|35 3E 5D 0A 3E 3E 0A 73 74 61 72 74 78 72 65 66 0A 32 34 36 31 32 35 0A 25 25 45 4F 46 0A 0D 0A 25 53 49 47 4E 41 54 55 52 45 3A 20 E2 DA 47 7E AC 80 D7 7E AB 80|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:17233; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream|0A 78 9C ED 5B 49 73 E2 38 14 BE F7 AF 70 79 6E C3 34 62 87 A4 42 BA C4 36 90 C4 01 C2 9A 5C BA 84 2D 1B 07 DB 32 96 1C 03 BF 7E 24 2F 6C D3 3D 9D C3 54 4D 4D 95 5C F5 81 DE|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-3459; reference:cve,2010-0188; classtype:attempted-user; sid:17215; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream|0A 78 9C ED 5B 5B 6F E2 38 14 7E EF AF 88 B2 6F CB 0E E6 0E AD 0A 23 73 5B 68 9B 02 E5 DA BE 8C 4C E2 04 97 24 0E B1 D3 00 BF 7E ED 24 B4 94 99 DD 19 69 1F 56 5A 39 D2 07 E7 F6 1D 1F DB 71 9E 7C|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-3459; reference:cve,2010-0188; classtype:attempted-user; sid:17214; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed FlateDecode colors declaration"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"FlateDecode"; content:"DecodeParms"; pcre:"/DecodeParms\s*\[[^\]]*Colors\s*\d\d\d\d/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,36600; reference:cve,2009-3459; classtype:attempted-user; sid:16677; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed FlateDecode colors declaration"; flow:to_client, established; file_data; content:"1073741838"; pcre:"/(C|#43)(o|#6F)(l|#6C)(o|#6F)(r|#72)(s|#73)\s*1073741838/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,36600; reference:cve,2009-3459; classtype:attempted-user; sid:16676; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader authplay.dll vulnerability exploit attempt"; flow:to_client,established; file_data; content:"|43 57 53 09 A2 D2 00 00 78 9C EC BD 79 7C 54 C5 D2 37 DE 7D|"; isdataat:316,relative; content:"|CF E7 77 BC EB 19 53 BF 99 F7 7C FB B8 D4 4B FA 7C EE E7 AC C7 83 AD 58 D8 F3 35 8B A5 1E B4 67 4D EA 3F EE 9E 3F 79 C9 AB ED 63 B6 F4 58 7A 57|"; within:48; distance:316; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:16664; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader File containing Flash use-after-free attack attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|3C 3C 2F 46 69 6C 74 65 72 2F 46 6C 61 74 65 44 65 63 6F 64 65 2F 46 69 72 73 74 20 39 39 2F 4C 65 6E 67 74 68 20 35 31 31 2F 4E 20 31 35 2F 54 79 70 65 2F 4F 62 6A 53 74 6D 3E 3E 73 74 72 65 61 6D 0D 0A 68 DE 6C 52 DB 6E E2 30|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-1297; classtype:attempted-user; sid:16633; rev:19;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader Linux malformed U3D mesh deceleration block exploit attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream|0A|U3D"; fast_pattern:only; pcre:"/stream\nU3D[^<]*\x31\xff\xff\xff/si"; byte_jump:2, 8, relative, little; byte_test:4, >, 97612893, 32, relative, little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0196; classtype:attempted-user; sid:16603; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader javascript getIcon method buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Collab.getIcon"; fast_pattern:only; pcre:!"/Collab\.getIcon[^\x28]*?\x28\s*([\x22\x27])[^\1]{1,256}\1\s*\x29/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:16554; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed Richmedia annotation exploit attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Subtype/RichMedia"; fast_pattern:only; content:"/Annot"; pcre:"/\/Rect\s*\[[^\]]*\./"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0197; reference:cve,2010-1297; classtype:attempted-admin; sid:16545; rev:21;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed TIFF remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|EB|/|ED|Z|B9|qX|F4 D8|C|F5|a|BF|+|0D 8C D2 F3 DD|*|EE 09|W|B1 B3 9B|P|EB AD D1 B3 07 A0|4|D8|m|7C 7F EB B5 EF|j|E8 F5|m[+t|8F 7C BC|f|BB 86|ql|F7 C0 C3 E8|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2010-0188; reference:url,www.adobe.com/support/security/bulletins/apsb10-07.html; classtype:attempted-user; sid:16490; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader compressed media.newPlayer memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|26 EA A7 7C 9A 1D C4 1C FE 26 7F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-4324; classtype:attempted-user; sid:16334; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/S/JavaScript"; content:"this.media.newPlayer"; pcre:"/^\x5C?\x28null\x5C?\x29/R"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:16333; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Microsoft Windows kernel-mode drivers core font parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.eot|file.pdf|file.otf|file.ttf; file_data; content:"hmtx"; content:"cmap"; content:"head"; pcre:"/(cmap|head|hmtx|hhea|maxp|name|OS\x2F2|post).{4}([\x80-\xFF]|.{4}[\x80-\xFF])/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,36029; reference:bugtraq,42203; reference:cve,2009-2514; reference:cve,2010-2862; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-065; classtype:attempted-admin; sid:16231; rev:22;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader PDF font processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"obj<<"; content:"/BaseFont"; distance:0; content:"endobj"; distance:0; pcre:"/obj\x3c\x3c.*?\x2fBaseFont\x2f[^\x80-\xff\x2f]*[\x80-\xff].*?endobj/s"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,32100; reference:cve,2008-4813; reference:url,vallejo.cc/proyectos/adobereader812.html; classtype:attempted-user; sid:15867; rev:17;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF attempted download of a PDF with embedded Flash"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream"; nocase; pcre:"/stream[\x0A\x0D]{1,2}[CF]WS/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35759; reference:bugtraq,41237; reference:bugtraq,44503; reference:cve,2009-1862; reference:cve,2010-2201; reference:cve,2010-3654; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:policy-violation; sid:15727; rev:27;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader FlateDecode integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/DecodeParms"; content:"/Predictor"; distance:0; byte_test:4,>,1,1,relative,string,dec; pcre:"/\x2fDecodeParms\s*\x3c{2}\s*(?=[^\x3e]*\/Predictor\s+0*(1\d|[2-9]))([^\x3e]*\x2fBitsPerComponent\s+\d{3}|[^\x3e]*\x2fColumns\s+\d{5}|[^\x3e]*\x2fColors\s+\d{5})/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,35294; reference:bugtraq,36600; reference:cve,2009-1856; reference:cve,2009-3459; classtype:attempted-user; sid:15709; rev:19;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader getAnnots exploit attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"getAnnots"; fast_pattern:only; pcre:"/getAnnots\x5C?\([^\x29\x2C]+\x2C\s*[^\x29\x2C]+\x2C\s*[^\x29\x2C]+\x2C\s*-\d/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34736; reference:cve,2009-1492; classtype:attempted-user; sid:15493; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader spell.customDictionaryOpen exploit attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"spell.customDictionaryOpen|5C|(0,dict|5C|)"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34740; reference:cve,2009-1493; classtype:attempted-user; sid:15492; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JBIG2 remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"JBIG2Decode"; nocase; content:"stream"; distance:0; nocase; pcre:"/JBIG2Decode.*?stream(\x0d\x0a|\x0a|\x0d)/si"; byte_test:1,&,0x40,4,relative; byte_test:1,!&,128,4,relative; byte_test:1,!&,32,4,relative; byte_test:1,=,0,5,relative; byte_test:4,>,0x1000,6,relative,big; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:15357; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader util.printf buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"util.printf"; pcre:"/\x28\s*\x22\s*\x25([2-9][6-9][5-9]|[1-9][0-9]{3,})f/mi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-2992; classtype:attempted-user; sid:15014; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Plugin JavaScript parameter double free attempt"; flow:to_client,established; file_data; content:".pdf|23|"; fast_pattern:only; content:"document."; nocase; pcre:"/\x2Epdf\x23[^\r\n]+\x3Djavascript\x3A[^\r\n]*document\x2E\w+/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-0046; reference:url,www.adobe.com/support/security/advisories/apsa07-01.html; classtype:attempted-user; sid:9843; rev:17;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader openDoc dangling pointer attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".setTimeOut"; nocase; content:".closeDoc"; within:50; fast_pattern; nocase; content:".openDoc"; within:50; nocase; pcre:"/\x2esetTimeOut\s*\x28\s*[\x22\x27][^\x28]+?\x2ecloseDoc\s*\x28[^\x29]*?\x29[^\x28]+?\x2eopenDoc\s*\x28[^\x29]*?\x29[^\x29]*?[\x22\x27]\s*,\s*[^\x29]*?\x29/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3057; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34560; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader openDoc dangling pointer attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".setTimeOut"; nocase; content:".closeDoc"; within:50; fast_pattern; nocase; content:".openDoc"; within:50; nocase; pcre:"/\x2esetTimeOut\s*\x28\s*[\x22\x27][^\x28]+?\x2ecloseDoc\s*\x28[^\x29]*?\x29[^\x28]+?\x2eopenDoc\s*\x28[^\x29]*?\x29[^\x29]*?[\x22\x27]\s*,\s*[^\x29]*?\x29/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3057; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34559; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader embedded JavaScript remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"ret = conn.stmt.getColumn"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3072; classtype:attempted-user; sid:34558; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded JavaScript remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"ret = conn.stmt.getColumn"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3072; classtype:attempted-user; sid:34557; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|CF 6A F7 2A 77 3C DE F1 11 75 33 D3 94 74 4A 14 73 4B 18 A1 66 C2 0F DE 3D ED 19 D4 32 2E B6 11|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2011-2462; reference:cve,2015-3070; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:attempted-user; sid:34552; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JavaScript API trustPropagatorFunction execution bypass attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/S /JavaScript"; nocase; content:"/JS"; within:5; nocase; content:"trustPropagatorFunction"; distance:0; nocase; content:"eval"; within:500; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3074; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-10.html; classtype:attempted-admin; sid:34551; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JavaScript API trustPropagatorFunction execution bypass attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/S /JavaScript"; nocase; content:"/JS"; within:5; nocase; content:"trustPropagatorFunction"; distance:0; nocase; content:"eval"; within:500; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3074; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-10.html; classtype:attempted-admin; sid:34550; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader 11.0.09 keystroke combobox use after free attempt"; flow:to_server,established; file_data; content:"this.removeField("; fast_pattern; content:"this.addField("; within:50; content:"combobox"; within:50; content:".setAction("; within:100; content:"Keystroke"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3075; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34549; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader 11.0.09 keystroke combobox use after free attempt"; flow:to_client,established; file_data; content:"this.removeField("; fast_pattern; content:"this.addField("; within:50; content:"combobox"; within:50; content:".setAction("; within:100; content:"Keystroke"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3075; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34548; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader PCR null pointer dereference attempt"; flow:to_server,established; file_data; content:"|E9 65 57 0E 4E A7 E1 1D 41 D1 CF CE D6 42 AF 21 B5 B5 97 7E 9E 43 FE 43 9A 4B B8 45 09 7E 4A A2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3046; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-10.html; classtype:attempted-user; sid:34547; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader PCR null pointer dereference attempt"; flow:to_client,established; file_data; content:"|E9 65 57 0E 4E A7 E1 1D 41 D1 CF CE D6 42 AF 21 B5 B5 97 7E 9E 43 FE 43 9A 4B B8 45 09 7E 4A A2|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3046; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-10.html; classtype:attempted-user; sid:34546; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader PRC invalid index attempt"; flow:to_server,established; file_data; content:"|80 4D 10 00 E6 4D 10 00 F3 4D 10 00 C6 2A 11 00 52 9E 26 1C 90 D9 7E DF 15 00 00 00 E2 77 C6 4A|"; fast_pattern:only; metadata:service smtp; reference:cve,2015-3047; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34535; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader PRC invalid index attempt"; flow:to_client,established; file_data; content:"|80 4D 10 00 E6 4D 10 00 F3 4D 10 00 C6 2A 11 00 52 9E 26 1C 90 D9 7E DF 15 00 00 00 E2 77 C6 4A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3047; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34534; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader customDictionaryExport information disclosure attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".customDictionaryExport"; fast_pattern:only; pcre:"/\.customDictionaryExport\s*\x28[\s\x22\x27,]*\x29/i"; metadata:service smtp; reference:cve,2015-3058; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-recon; sid:34533; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader customDictionaryExport information disclosure attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".customDictionaryExport"; fast_pattern:only; pcre:"/\.customDictionaryExport\s*\x28[\s\x22\x27,]*\x29/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3058; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-recon; sid:34532; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader AVDoc use-after-free attempt"; flow:established,to_server; flowbits:isset,file.pdf; file_data; content:"this.closeDoc(true)"; fast_pattern:only; content:".addField"; content:"A"; within:5; content:"signature"; within:20; content:".getPageBox"; within:50; metadata:service smtp; reference:cve,2015-3055; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-admin; sid:34529; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader AVDoc use-after-free attempt"; flow:established,to_client; flowbits:isset,file.pdf; file_data; content:"this.closeDoc(true)"; fast_pattern:only; content:".addField"; content:"A"; within:5; content:"signature"; within:20; content:".getPageBox"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3055; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-admin; sid:34528; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader Cooltype callother memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|E9 F4 5F E1 3D 20 49 DD DB 15 D7 26 E2 25 F5 C9 28 B2 CC FB 98 5F 8A 9C C3 B6 5C E4 A5 B4 27 7A 0A 30 30 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,74600; reference:cve,2015-3051; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34527; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader Cooltype callother memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|E9 F4 5F E1 3D 20 49 DD DB 15 D7 26 E2 25 F5 C9 28 B2 CC FB 98 5F 8A 9C C3 B6 5C E4 A5 B4 27 7A 0A 30 30 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,74600; reference:cve,2015-3051; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34526; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader CoolType blend memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|1F 07 A6 A9 4B 2D 65 7D 9C 65 70 61 3A 9F 0A E3 2C 29 C2 91 72 9F 9A 6C 3C 0C 6C 48 60 FD 26 80 27 02 60 7F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,74600; reference:cve,2015-3052; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34525; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader CoolType blend memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|1F 07 A6 A9 4B 2D 65 7D 9C 65 70 61 3A 9F 0A E3 2C 29 C2 91 72 9F 9A 6C 3C 0C 6C 48 60 FD 26 80 27 02 60 7F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,74600; reference:cve,2015-3052; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34524; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".addAnnot"; nocase; content:"points"; within:50; nocase; content:"0"; within:25; content:"type"; nocase; content:"Line"; within:25; nocase; pcre:"/\.addAnnot\s*\x28[^\x29]*?points\s*\x3a\s*0/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3056; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34517; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".addAnnot"; nocase; content:"points"; within:50; nocase; content:"0"; within:25; content:"type"; nocase; content:"Line"; within:25; nocase; pcre:"/\.addAnnot\s*\x28[^\x29]*?points\s*\x3a\s*0/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3056; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34516; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".type"; nocase; content:"Line"; within:25; nocase; content:".points"; nocase; content:"0|3B|"; within:25; content:".addAnnot"; within:100; nocase; pcre:"/(?P<var>\w+)\.points\s*=\s*0\x3b.*?\.addAnnot\s*\x28\s*(?P=var)/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3056; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34515; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".type"; nocase; content:"Line"; within:25; nocase; content:".points"; nocase; content:"0|3B|"; within:25; content:".addAnnot"; within:100; nocase; pcre:"/(?P<var>\w+)\.points\s*=\s*0\x3b.*?\.addAnnot\s*\x28\s*(?P=var)/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3056; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34514; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".state"; nocase; content:"Cancelled"; within:20; nocase; content:".stateModel"; within:100; nocase; content:"Marked"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3059; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34594; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".state"; nocase; content:"Completed"; within:20; nocase; content:".stateModel"; within:100; nocase; content:"Marked"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3059; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34593; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".state"; nocase; content:"Completed"; within:20; nocase; content:".stateModel"; within:100; nocase; content:"Marked"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3059; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34592; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt"; flow:to_server,established; file_data; content:"|32 21 C2 72 D4 F0 96 E3 26 A9 2C 77 58 C6 2B 8C 6F 89 E2 FA 3D 14 25 17 20 D7 1C A6 45 9E D3 DF|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3059; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34591; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt"; flow:to_client,established; file_data; content:"|32 21 C2 72 D4 F0 96 E3 26 A9 2C 77 58 C6 2B 8C 6F 89 E2 FA 3D 14 25 17 20 D7 1C A6 45 9E D3 DF|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3059; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34590; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader stateModel use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".state"; nocase; content:"Cancelled"; within:20; nocase; content:".stateModel"; within:100; nocase; content:"Marked"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3059; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34589; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"addedAnnotCount"; fast_pattern; content:"modifiedAnnotCount"; within:50; content:"ANVerifyComments"; content:".launchURL"; content:"app.__proto__"; within:50; content:"AFExactMatch"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3062; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34613; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"addedAnnotCount"; fast_pattern; content:"modifiedAnnotCount"; within:50; content:"ANVerifyComments"; content:".launchURL"; content:"app.__proto__"; within:50; content:"AFExactMatch"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3062; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34612; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JS notification object double free attempt"; flow:to_server,established; file_data; content:"/JS (|0D 0A|CBAutoConfigCommentRepository()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3076; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34653; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JS notification object double free attempt"; flow:to_client,established; file_data; content:"/JS (|0D 0A|CBAutoConfigCommentRepository()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3076; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34652; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|74 5B 38 90 D3 2A 8E 65 A3 C3 55 E6 A8 D1 DE 6D 0D E8 1F 21 96 81 19 2A FA F2 C3 2B 1C 82 06 15|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3050; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34651; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader heap buffer overflow attempt"; flow:to_client,established; file_data; content:"|74 5B 38 90 D3 2A 8E 65 A3 C3 55 E6 A8 D1 DE 6D 0D E8 1F 21 96 81 19 2A FA F2 C3 2B 1C 82 06 15|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3050; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34650; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"DynamicAnnotStore"; content:".complete.call"; within:50; content:"|27|complete|27|:eval"; content:"ANVerifyComments"; fast_pattern:only; content:".launchURL|7D|"; content:"app.__proto__"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3064; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34628; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"DynamicAnnotStore"; content:".complete.call"; within:50; content:"|27|complete|27|:eval"; content:"ANVerifyComments"; fast_pattern:only; content:".launchURL|7D|"; content:"app.__proto__"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3064; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34627; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"= |7B| |27|getField|27|: eval|7D|"; content:"__proto__ ="; within:50; content:"AFSimple_Calculate.call"; within:50; content:"= |7B 22|alert|22| :"; content:".__proto__ ="; within:50; content:"ANVerifyComments("; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-3069; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34626; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader bypass JavaScript API restrictions attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"= |7B| |27|getField|27|: eval|7D|"; content:"__proto__ ="; within:50; content:"AFSimple_Calculate.call"; within:50; content:"= |7B 22|alert|22| :"; content:".__proto__ ="; within:50; content:"ANVerifyComments("; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-3069; reference:url,helpx.adobe.com/security/products/reader/apsb15-10.html; classtype:attempted-user; sid:34625; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader setPageAction use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"this.setPageAction"; nocase; content:"Close"; within:25; nocase; content:"this.closeDoc"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,74602; reference:cve,2015-3053; reference:url,helpx.adobe.com/security/products/acrobat/apsb15-10.html; classtype:attempted-user; sid:34846; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader setPageAction use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"this.setPageAction"; nocase; content:"Close"; within:25; nocase; content:"this.closeDoc"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,74602; reference:cve,2015-3053; reference:url,helpx.adobe.com/security/products/acrobat/apsb15-10.html; classtype:attempted-user; sid:34845; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader mishandling of invalid triangle edge access attempt"; flow:to_server,established; file_data; content:"|00 80 80 FF FF 00 FF FF 00 00 00 00 FF 00 00 02 00 00 00 00 02 FF 00 00 00 02 FF FF 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8459; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:35242; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader mishandling of invalid triangle edge access attempt"; flow:to_server,established; file_data; content:"00 80 80 ff ff 00 ff ff 00 00 00 00 ff 00 00 02 00 00 00 00 02 ff 00 00 00 02 ff ff 00 00"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-8459; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:35241; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader mishandling of invalid triangle edge access attempt"; flow:to_client,established; file_data; content:"00 80 80 ff ff 00 ff ff 00 00 00 00 ff 00 00 02 00 00 00 00 02 ff 00 00 00 02 ff ff 00 00"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8459; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:35240; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader mishandling of invalid triangle edge access attempt"; flow:to_client,established; file_data; content:"|00 80 80 FF FF 00 FF FF 00 00 00 00 FF 00 00 02 00 00 00 00 02 FF 00 00 00 02 FF FF 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8459; reference:url,helpx.adobe.com/security/products/reader/apsb14-28.html; classtype:attempted-user; sid:35239; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader Unicode value memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"for"; nocase; content:"|5C|u"; within:25; fast_pattern; nocase; content:"in"; within:50; nocase; content:"this"; within:25; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,75740; reference:cve,2015-5087; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35346; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader Unicode value memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"for"; nocase; content:"|5C|u"; within:25; nocase; content:"in"; within:50; nocase; content:"this"; within:25; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,75740; reference:cve,2015-5087; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35345; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".closeDoc|28|true|29|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5086; reference:cve,2015-5100; reference:cve,2015-5101; reference:cve,2015-5102; reference:cve,2015-5103; reference:cve,2015-5104; reference:cve,2015-5111; reference:cve,2016-0937; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35332; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".closeDoc|28|true|29|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5086; reference:cve,2015-5100; reference:cve,2015-5101; reference:cve,2015-5102; reference:cve,2015-5103; reference:cve,2015-5104; reference:cve,2015-5111; reference:cve,2016-0937; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35331; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader ComboBox field Format action use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; fast_pattern:only; content:"addField"; nocase; content:"combobox"; within:20; nocase; content:"setAction"; distance:0; nocase; content:"Format"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,75739; reference:cve,2015-5113; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35324; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader ComboBox field Format action use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; fast_pattern:only; content:"addField"; nocase; content:"combobox"; within:20; nocase; content:"setAction"; distance:0; nocase; content:"Format"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,75739; reference:cve,2015-5113; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35323; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader setTimeOut app.launchURL privilege escalation attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"app.launchURL("; fast_pattern:only; content:".setTimeOut("; content:"this.closeDoc("; within:20; content:"true"; within:10; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-4445; reference:cve,2015-4447; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35322; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader setTimeOut app.launchURL privilege escalation attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"app.launchURL("; fast_pattern:only; content:".setTimeOut("; content:"this.closeDoc("; within:20; content:"true"; within:10; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-4445; reference:cve,2015-4447; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35321; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader ToolEventHandler use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.doc.getAnnots3D"; content:".ToolEventHandler()"; distance:0; content:".onEvent"; within:200; content:"app.doc.closeDoc"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5094; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35320; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader ToolEventHandler use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.doc.getAnnots3D"; content:".ToolEventHandler()"; distance:0; content:".onEvent"; within:200; content:"app.doc.closeDoc"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5094; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35319; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader MakeMeasurement buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.doc.getAnnots3D"; nocase; content:".makeMeasurement"; distance:0; nocase; pcre:"/\.makeMeasurement\s*\x28[^\x3b]+?Array/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5093; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35309; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader MakeMeasurement buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.doc.getAnnots3D"; nocase; content:".makeMeasurement"; distance:0; nocase; pcre:"/\.makeMeasurement\s*\x28[^\x3b]+?Array/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5093; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35308; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt"; flow:to_server,established; file_data; content:"__defineGetter__"; content:".removeField("; within:200; content:".addField("; within:500; content:"checkbox"; within:50; nocase; content:"exportValues"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-4448; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35383; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt"; flow:to_client,established; file_data; content:"__defineGetter__"; content:".removeField("; within:200; content:".addField("; within:500; content:"checkbox"; within:50; nocase; content:"exportValues"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-4448; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35382; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt"; flow:to_server,established; file_data; content:"|95 90 F8 86 C6 A0 2E 0A 20 5E EC 05 50 F5 92 19 A1 24 10 1F CE AE 03 5B 88 0A C8 15 C7 1E D2 9B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-4448; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35381; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader javascript setExportValues field object use after free attempt"; flow:to_client,established; file_data; content:"|95 90 F8 86 C6 A0 2E 0A 20 5E EC 05 50 F5 92 19 A1 24 10 1F CE AE 03 5B 88 0A C8 15 C7 1E D2 9B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-4448; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35380; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader setItems use-after-free attempt"; flow:established,to_client; flowbits:isset,file.pdf; file_data; content:"|0E 1F 69 02 8C 8E 4D 2E 2A D4 41 E4 5F AE A8 2E E0 CA AF F1 9B C0 D8 FF 90 A2 2B 0C 24 B2 D2 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5099; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-admin; sid:35410; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader setItems use-after-free attempt"; flow:established,to_server; flowbits:isset,file.pdf; file_data; content:"doc.addField"; content:"__defineGetter__"; within:200; content:"doc.removeField"; within:200; fast_pattern; content:".setItems"; within:200; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5099; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-admin; sid:35409; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader setItems use-after-free attempt"; flow:established,to_client; flowbits:isset,file.pdf; file_data; content:"doc.addField"; content:"__defineGetter__"; within:200; content:"doc.removeField"; within:200; fast_pattern; content:".setItems"; within:200; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5099; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-admin; sid:35408; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader setItems use-after-free attempt"; flow:established,to_server; flowbits:isset,file.pdf; file_data; content:"|0E 1F 69 02 8C 8E 4D 2E 2A D4 41 E4 5F AE A8 2E E0 CA AF F1 9B C0 D8 FF 90 A2 2B 0C 24 B2 D2 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5099; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-admin; sid:35407; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader nested events use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".addEventHandler"; fast_pattern:only; content:".onEvent"; nocase; content:"function"; within:25; nocase; content:".onEvent"; within:200; nocase; content:"function"; within:25; nocase; content:".onEvent"; within:200; nocase; content:"function"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5095; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35431; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader nested events use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".addEventHandler"; fast_pattern:only; content:".onEvent"; nocase; content:"function"; within:25; nocase; content:".onEvent"; within:200; nocase; content:"function"; within:25; nocase; content:".onEvent"; within:200; nocase; content:"function"; within:25; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5095; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35430; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader CBBBRInvite privilege escalation attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"this.CBBBRInvite"; fast_pattern:only; content:"this.closeDoc"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-4441; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35768; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader CBBBRInvite privilege escalation attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"this.CBBBRInvite"; fast_pattern:only; content:"this.closeDoc"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-4441; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35767; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader exclGroup element null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<exclGroup"; nocase; content:"layout"; within:15; nocase; content:"table"; within:15; nocase; metadata:service smtp; reference:cve,2015-4443; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35758; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader exclGroup element null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<exclGroup"; nocase; content:"layout"; within:15; nocase; content:"table"; within:15; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-4443; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35757; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-PDF Adobe Reader GoToE javascript execution attempt "; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/GoToE"; fast_pattern; nocase; content:"/F"; within:10; nocase; content:"javascript|3A|"; within:25; metadata:service smtp; reference:cve,2015-4449; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:web-application-attack; sid:35740; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader GoToE javascript execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/GoToE"; fast_pattern; nocase; content:"/F"; within:10; nocase; content:"javascript|3A|"; within:25; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-4449; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:web-application-attack; sid:35739; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader Javascript API ANStartApproval - possible privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; content:"ANStartApproval("; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-4435; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35812; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader Javascript API ANStartApproval - possible privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; content:"ANStartApproval("; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-4435; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35811; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader Javascript API ANSendForReview - possible privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; content:"ANSendForReview("; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-4438; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35810; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader Javascript API ANSendForReview - possible privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; content:"ANSendForReview("; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-4438; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35809; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader validation bypass privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/EmbeddedFile"; nocase; content:"/JavaScript"; nocase; content:"adobe/arm/1.0/secur32.dll"; fast_pattern:only; metadata:service smtp; reference:cve,2015-5090; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-admin; sid:35808; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader validation bypass privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/EmbeddedFile"; nocase; content:"/JavaScript"; nocase; content:"adobe/arm/1.0/secur32.dll"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-5090; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-admin; sid:35807; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader trusted function privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".requestPermission"; nocase; content:"ANSendApprovalToAuthorEnabled"; fast_pattern:only; metadata:service smtp; reference:cve,2015-4451; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35787; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader trusted function privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".requestPermission"; nocase; content:"ANSendApprovalToAuthorEnabled"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-4451; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35786; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader AcroForm null pointer dereference attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"<subform"; fast_pattern; content:"scope"; within:20; content:"none"; within:8; content:"<exclGroup>"; within:50; metadata:service smtp; reference:cve,2015-4444; classtype:attempted-user; sid:35785; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader AcroForm null pointer dereference attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"<subform"; fast_pattern; content:"scope"; within:20; content:"none"; within:8; content:"<exclGroup>"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-4444; classtype:attempted-user; sid:35784; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".__proto__"; nocase; content:"="; within:200; pcre:"/(?P<name>[A-Z]+)\s*\x2E\w{1,50}\s*\x2E\s*(?P=name)\s*\x2E__proto__\s*\x3d/i"; metadata:service smtp; reference:cve,2015-4452; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35782; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".__proto__"; nocase; content:"="; within:200; pcre:"/(?P<name>[A-Z]+)\s*\x2E\w{1,50}\s*\x2E\s*(?P=name)\s*\x2E__proto__\s*\x3d/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-4452; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-user; sid:35781; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XML XSL transform exploitation attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; fast_pattern:only; content:"XMLData.parse|28|"; content:".applyXSL|28|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-5089; reference:cve,2016-6967; reference:cve,2016-6968; reference:cve,2016-6969; reference:cve,2016-6972; reference:cve,2017-11243; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-33.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-recon; sid:35780; rev:9;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XML XSL transform exploitation attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; fast_pattern:only; content:"XMLData.parse|28|"; content:".applyXSL|28|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5089; reference:cve,2016-6967; reference:cve,2016-6968; reference:cve,2016-6969; reference:cve,2016-6972; reference:cve,2017-11243; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-33.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-recon; sid:35779; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader makeMeasurement information disclosure attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.doc.getAnnots3D"; fast_pattern:only; content:".makeMeasurement"; nocase; content:"|2E|dumpMeasureData"; within:500; nocase; content:"openDataObject"; within:300; nocase; metadata:service smtp; reference:cve,2015-5107; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-recon; sid:36063; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader makeMeasurement information disclosure attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.doc.getAnnots3D"; fast_pattern:only; content:".makeMeasurement"; nocase; content:"|2E|dumpMeasureData"; within:500; nocase; content:"openDataObject"; within:300; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-5107; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:attempted-recon; sid:36062; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"AgD/AAIA/wACAP8AClhYWFhYWFhYWFg="; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:36192; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"AgD/AAIA/wACAP8AClhYWFhYWFhYWFg="; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:36191; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"tEXt|00|"; fast_pattern; byte_test:4,>,0x2a,-9,relative; metadata:service smtp; reference:url,foxitsoftware.com/support/security-bulletins.php#FRD-30; classtype:attempted-user; sid:36306; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt"; flow:to_client,established; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"tEXt|00|"; fast_pattern; byte_test:4,>,0x2a,-9,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:url,foxitsoftware.com/support/security-bulletins.php#FRD-30; classtype:attempted-user; sid:36305; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat font parsing integer overflow attempt"; flow:to_server,established; file_data; content:"|71 59 67 7D 4B 7D 07 3C B8 A6 71 E5 AA FA 16 4A FD F4 0A CC AF 8B 65 40 07 86 96 3B 79 65 FB 3A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,42203; reference:cve,2010-2862; reference:url,www.adobe.com/support/security/bulletins/apsb10-17.html; classtype:attempted-admin; sid:36886; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat font parsing integer overflow attempt"; flow:to_client,established; file_data; content:"|71 59 67 7D 4B 7D 07 3C B8 A6 71 E5 AA FA 16 4A FD F4 0A CC AF 8B 65 40 07 86 96 3B 79 65 FB 3A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,42203; reference:cve,2010-2862; reference:url,www.adobe.com/support/security/bulletins/apsb10-17.html; classtype:attempted-admin; sid:36885; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.doc.__proto__"; fast_pattern:only; metadata:service smtp; reference:cve,2015-5085; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:policy-violation; sid:37315; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.doc.__proto__"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-5085; reference:url,helpx.adobe.com/security/products/reader/apsb15-15.html; classtype:policy-violation; sid:37314; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader addAnnot JavaScript based memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"closeDoc"; content:"setTimeOut"; within:35; content:"addAnnot"; within:30; content:"FileAttachment"; within:25; content:"/S/JavaScript/Type/Action"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0931; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37406; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader addAnnot JavaScript based memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"closeDoc"; content:"setTimeOut"; within:35; content:"addAnnot"; within:30; content:"FileAttachment"; within:25; content:"/S/JavaScript/Type/Action"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0931; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37405; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader custom string length function memory corruption attempt"; flow:to_server, established; file_data; content:"|AE 04 CF 0B C6 F3 0D 4B 94 CC 7B 6A 2D 34 2F 45 CA 56 3C 59 CA 5C 9C B2 D4 DC 70 CA 94 66 7C BD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0938; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37400; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader custom string length function memory corruption attempt"; flow:to_client, established; file_data; content:"|AE 04 CF 0B C6 F3 0D 4B 94 CC 7B 6A 2D 34 2F 45 CA 56 3C 59 CA 5C 9C B2 D4 DC 70 CA 94 66 7C BD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0938; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37399; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt"; flow:to_server, established; file_data; content:"|60 EF FF 10 47 2A 53 33 F3 05 8E F4 55 C6 02 FB 7B 1F 7D 83 D9 66 65 70 A3 BC BC 2B CC 9D 14 CA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0939; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37398; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt"; flow:to_client, established; file_data; content:"|60 EF FF 10 47 2A 53 33 F3 05 8E F4 55 C6 02 FB 7B 1F 7D 83 D9 66 65 70 A3 BC BC 2B CC 9D 14 CA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0939; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37397; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader setPersistent use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"global.setPersistent"; content:"search.query"; within:300; distance:-150; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,80358; reference:cve,2016-0941; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37434; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader setPersistent use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"global.setPersistent"; content:"search.query"; within:300; distance:-150; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,80358; reference:cve,2016-0941; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37433; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader ExtGState use after free attempt"; flow:to_server,established; file_data; content:"|0A 71 0A 2F 47 31 20 67 73 0A 32 30 20 33 30 30 20 32 30 30 20 32 30 30 20 72 65 0A 62 0A 51 0A 65 6E 64 73 74 72|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-0934; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37432; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader ExtGState use after free attempt"; flow:to_client,established; file_data; content:"|0A 71 0A 2F 47 31 20 67 73 0A 32 30 20 33 30 30 20 32 30 30 20 32 30 30 20 72 65 0A 62 0A 51 0A 65 6E 64 73 74 72|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-0934; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37431; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader ExtGState double free attempt"; flow:to_server,established; file_data; content:"/Type /ExtGState /D [[1 1] 1]|09|/CA 0.1|09|>>|0A|endobj|0A|4 0 obj"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0935; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37425; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader ExtGState double free attempt"; flow:to_client,established; file_data; content:"/Type /ExtGState /D [[1 1] 1]|09|/CA 0.1|09|>>|0A|endobj|0A|4 0 obj"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0935; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37424; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JavaScript model privileged API bypass attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; content:"global.__defineGetter__("; distance:0; content:"global.setPersistent("; within:150; pcre:"/global\x2E__defineGetter__\x28\x20*[\x22\x27](?P<getter_name>\w+)[\x22\x27][^>]*global.setPersistent\x28\x20*[\x22\x27](?P=getter_name)[\x22\x27]/s"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0943; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:policy-violation; sid:37465; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JavaScript model privileged API bypass attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; content:"global.__defineGetter__("; distance:0; content:"global.setPersistent("; within:150; pcre:"/global\x2E__defineGetter__\x28\x20*[\x22\x27](?P<getter_name>\w+)[\x22\x27][^>]*global.setPersistent\x28\x20*[\x22\x27](?P=getter_name)[\x22\x27]/s"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0943; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:policy-violation; sid:37464; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader Graphic State Parameter Dictionaries use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"Graphics State Parameter Dictionaries"; fast_pattern:only; content:"/D [[10 15] 2]"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,80358; reference:cve,2016-0940; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37461; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader Graphic State Parameter Dictionaries use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Graphics State Parameter Dictionaries"; fast_pattern:only; content:"/D [[10 15] 2]"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,80358; reference:cve,2016-0940; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37460; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat CoolType font representation decoding memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|FF BC 00 FD 01 13 FF BC 00 FE 01 14 FF BC 00 FF 01 15 FF BC 00 00 00 02 00 01 00 00 00 00 00 14|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0944; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-dos; sid:37459; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat CoolType font representation decoding memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|FF BC 00 FD 01 13 FF BC 00 FE 01 14 FF BC 00 FF 01 15 FF BC 00 00 00 02 00 01 00 00 00 00 00 14|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0944; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-dos; sid:37458; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|A2 15 FE FE 05 D5 FD 71 FE 9B 01 65 00 02 00 C5 03 AA 02 E9 05 D5 00 03 C9 07 00 4D 40 0F E4 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0945; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-dos; sid:37455; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|A2 15 FE FE 05 D5 FD 71 FE 9B 01 65 00 02 00 C5 03 AA 02 E9 05 D5 00 03 C9 07 00 4D 40 0F E4 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0945; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-dos; sid:37454; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JPEG2000 chroma sub-pattern memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|6E 77 43 EF 33 7A 70 E4 14 CE D7 DD 31 C9 C9 51 F6 BA BC 3C 40 68 20 FB 52 96 81 BC CD E2 65 8B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0936; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37451; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JPEG2000 chroma sub-pattern memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|6E 77 43 EF 33 7A 70 E4 14 CE D7 DD 31 C9 C9 51 F6 BA BC 3C 40 68 20 FB 52 96 81 BC CD E2 65 8B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0936; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37450; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat U3D Bone Weight Modifier memory corruption attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"|94 F3 18 00 94 F5 77 C9 28 5D 5A 4F E3 5A C6 DE F9 2B F1 01 00 91 56 1A 00 71 80 CC 2D 38 A5 11|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0933; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37449; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat U3D Bone Weight Modifier memory corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|94 F3 18 00 94 F5 77 C9 28 5D 5A 4F E3 5A C6 DE F9 2B F1 01 00 91 56 1A 00 71 80 CC 2D 38 A5 11|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0933; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-user; sid:37448; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|00 02 00 00 00 FF 40 02 00 02 00 00 00 02 00 00 33 00 CC 00 00 00 00 04 00 00 00 00 00 00 00 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0946; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-dos; sid:37470; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|00 02 00 00 00 FF 40 02 00 02 00 00 00 02 00 00 33 00 CC 00 00 00 00 04 00 00 00 00 00 00 00 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0946; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:denial-of-service; sid:37469; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt"; flow:to_server,established; file_data; content:"A|00|c|00|r|00|o|00|R|00|d|00|3|00|2|00|.|00|e|00|x|00|e|00| |00|/|00|p|00|d|00|f|00|s|00|h|00|e|00|l|00|l|00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0942; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-dos; sid:37533; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt"; flow:to_server,established; file_data; content:"AcroRd32.exe /pdfshell"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0942; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-dos; sid:37532; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt"; flow:to_client,established; file_data; content:"A|00|c|00|r|00|o|00|R|00|d|00|3|00|2|00|.|00|e|00|x|00|e|00| |00|/|00|p|00|d|00|f|00|s|00|h|00|e|00|l|00|l|00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0942; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-dos; sid:37531; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt"; flow:to_client,established; file_data; content:"AcroRd32.exe /pdfshell"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0942; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-02.html; classtype:attempted-dos; sid:37530; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Microsoft Windows PDF Library invalid JPX image heap corruption attempt"; flow:to_server,established; file_data; content:"|70 83 AE 25 8A 59 9E FB 11 96 E2 5B 47 A4 68 A0 7F 04 F0 AE 81 C6 BF AA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-012; classtype:attempted-user; sid:37595; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Microsoft Windows PDF Library invalid JPX image heap corruption attempt"; flow:to_client,established; file_data; content:"|70 83 AE 25 8A 59 9E FB 11 96 E2 5B 47 A4 68 A0 7F 04 F0 AE 81 C6 BF AA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-012; classtype:attempted-user; sid:37594; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Microsoft Reader dynamic object stream uninitialized memory corruption attempt"; flow:to_server,established; file_data; content:"|66 1F 04 92 EC AD 75 20 36 47 23 58 24 04 AC 1E AC C6 5C 08 44 02 CD 00 91 5F C0 64 29 88 14 5D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-012; classtype:attempted-user; sid:37566; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Microsoft Reader dynamic object stream uninitialized memory corruption attempt"; flow:to_client,established; file_data; content:"|66 1F 04 92 EC AD 75 20 36 47 23 58 24 04 AC 1E AC C6 5C 08 44 02 CD 00 91 5F C0 64 29 88 14 5D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-012; classtype:attempted-user; sid:37565; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat and Adobe Acrobat Reader U3D RHAdobeMeta buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|12 E7 1B E8 3B 33 C0 10 08 59 8C 06 03 21 7B 4C 04 D1 98 C4 2C 20 26 C6 98 28 88 9A 44 8D 82 18 93 68 54 10 35 44 45|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35282; reference:cve,2009-1855; reference:url,adobe.com/support/security/bulletins/apsb09-07.html; classtype:attempted-user; sid:37712; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_server,established; file_data; content:"%PDF"; depth:4; content:"<field name=|22|ImageCrash|22|>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:37829; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_client,established; file_data; content:"%PDF"; depth:4; content:"<field name=|22|ImageCrash|22|>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,59918; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:37828; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat and Reader U3D Buffer Overflow buffer overflow attempt"; flow:to_server,established; file_data; content:"|A3 CB 47 99 0A FE AB C1 FF E5 F4 FF 23 17 0F D4 CE EB FF D6 EE 7F 36 A2 FB 02 C0 53 48 72 6B 45|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2009-2997; reference:url,adobe.com/support/security/bulletins/apsb09-15.html; classtype:attempted-user; sid:37911; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat and Reader U3D Buffer Overflow buffer overflow attempt"; flow:to_client,established; file_data; content:"|A3 CB 47 99 0A FE AB C1 FF E5 F4 FF 23 17 0F D4 CE EB FF D6 EE 7F 36 A2 FB 02 C0 53 48 72 6B 45|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2009-2997; reference:url,adobe.com/support/security/bulletins/apsb09-15.html; classtype:attempted-user; sid:37910; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader annotation oversized array memory corruption attempt"; flow:to_server,established; file_data; content:"/JavaScript"; content:".addAnnot("; within:200; content:"Array("; within:200; content:".length"; within:50; content:"="; within:5; byte_test:10,>,0x100000,0,relative,string; content:".setTimeOut("; within:200; content:"annot.setProps("; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1007; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-09.html; classtype:attempted-user; sid:38224; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader annotation oversized array memory corruption attempt"; flow:to_client,established; file_data; content:"/JavaScript"; content:".addAnnot("; within:200; content:"Array("; within:200; content:".length"; within:50; content:"="; within:5; byte_test:10,>,0x100000,0,relative,string; content:".setTimeOut("; within:200; content:"annot.setProps("; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1007; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-09.html; classtype:attempted-user; sid:38223; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JPEG 2000 chrominance subsampling memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|F8 B4 92 8B B3 0C 88 45 5E 8E C4 E2 43 10 CE C4 8A D8 8B C3 85 4C EA 3F 24 12 F8 85 97 1F D2 38|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1009; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-09.html; classtype:attempted-user; sid:38212; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JPEG 2000 chrominance subsampling memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|F8 B4 92 8B B3 0C 88 45 5E 8E C4 E2 43 10 CE C4 8A D8 8B C3 85 4C EA 3F 24 12 F8 85 97 1F D2 38|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1009; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-09.html; classtype:attempted-user; sid:38211; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader out of bounds memory access violation attempt"; flow:to_server,established; file_data; content:"|99 00 01 FF 93 C1 08 03 CF 80 10 09 C3 81 03 80 A1 F0 02 04 A7 C6 08 06 BF AF A4 10 09 D7 C8 40|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1063; reference:cve,2016-6941; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:38846; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader out of bounds memory access violation attempt"; flow:to_client,established; file_data; content:"|99 00 01 FF 93 C1 08 03 CF 80 10 09 C3 81 03 80 A1 F0 02 04 A7 C6 08 06 BF AF A4 10 09 D7 C8 40|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1063; reference:cve,2016-6941; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:38845; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader javascript replace integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"replace|28 22|"; isdataat:300,relative; content:!"|22|"; within:300; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1043; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38844; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader javascript replace integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"replace|28 22|"; isdataat:300,relative; content:!"|22|"; within:300; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1043; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38843; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA engine memory leak ASLR bypass attempt"; flow:to_server,established; file_data; content:"xfa.template.createNode"; nocase; content:"subform"; within:50; nocase; content:"xfa.form.createNode"; distance:0; nocase; content:"template"; within:50; nocase; content:"0x7ec74c"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1092; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:policy-violation; sid:38821; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA engine memory leak - possible code instrumentation detected"; flow:to_server,established; file_data; content:"jfCacheManager"; fast_pattern:only; content:"AcroForm.api"; nocase; content:"XFA"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1092; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:policy-violation; sid:38820; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA engine memory leak ASLR bypass attempt"; flow:to_client,established; file_data; content:"xfa.template.createNode"; nocase; content:"subform"; within:50; nocase; content:"xfa.form.createNode"; distance:0; nocase; content:"template"; within:50; nocase; content:"0x7ec74c"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1092; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:policy-violation; sid:38819; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA engine memory leak - possible code instrumentation detected"; flow:to_client,established; file_data; content:"jfCacheManager"; fast_pattern:only; content:"AcroForm.api"; nocase; content:"XFA"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1092; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:policy-violation; sid:38818; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat FileAttachment use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"Array"; nocase; content:"Getter"; within:100; nocase; content:"addAnnot"; within:150; fast_pattern; nocase; content:"FileAttachment"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1065; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:attempted-user; sid:38800; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat FileAttachment use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Array"; nocase; content:"Getter"; within:100; nocase; content:"addAnnot"; within:150; fast_pattern; nocase; content:"FileAttachment"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1065; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:attempted-user; sid:38799; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XFA javascript use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/AcroForm"; content:"xfa.resolveNode"; distance:0; content:"xfa.resolveNode"; distance:0; content:"xfa.resolveNode"; distance:0; content:"xfa.form.applyXSL"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1073; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38795; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XFA javascript use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/AcroForm"; content:"xfa.resolveNode"; distance:0; content:"xfa.resolveNode"; distance:0; content:"xfa.resolveNode"; distance:0; content:"xfa.form.applyXSL"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1073; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38794; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XFA javascript out of bound memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/AcroForm"; content:"xfa.resolveNode"; distance:0; content:"instanceManager"; content:"xfa.resolveNode"; distance:0; content:"rawValue"; content:"xfa.resolveNode"; distance:0; content:"xfa.isPropertySpecified"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1072; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38944; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XFA javascript out of bound memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/AcroForm"; content:"xfa.resolveNode"; distance:0; content:"instanceManager"; content:"xfa.resolveNode"; distance:0; content:"rawValue"; content:"xfa.resolveNode"; distance:0; content:"xfa.isPropertySpecified"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1072; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38943; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"Net.HTTP.runTaskSet"; fast_pattern:only; content:"app.beginPriv"; content:"app.endPriv"; distance:0; content:"app.trustedFunction.bind"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1040; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-admin; sid:38938; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Net.HTTP.runTaskSet"; fast_pattern:only; content:"app.beginPriv"; content:"app.endPriv"; distance:0; content:"app.trustedFunction.bind"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1040; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-admin; sid:38937; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"ANAuthenticateResource"; fast_pattern:only; content:"app.beginPriv"; content:"app.endPriv"; distance:0; content:"app.trustedFunction.bind"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1041; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-admin; sid:38936; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"ANAuthenticateResource"; fast_pattern:only; content:"app.beginPriv"; content:"app.endPriv"; distance:0; content:"app.trustedFunction.bind"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1041; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-admin; sid:38935; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader submitForm read out of bounds attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".submitForm({cURL:"; fast_pattern; content:".php#FDF"; within:200; content:"cSubmitAs:"; within:200; content:"PDF"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1064; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38932; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader submitForm read out of bounds attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".submitForm({cURL:"; fast_pattern; content:".php#FDF"; within:200; content:"cSubmitAs:"; within:200; content:"PDF"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1064; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38931; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader compareDocuments JavaScript function use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app"; content:"compareDocuments"; within:100; content:"popUpMenuEx"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1085; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38924; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader compareDocuments JavaScript function use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app"; content:"compareDocuments"; within:100; content:"popUpMenuEx"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1085; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38923; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"ANProxyAuthenticateResource"; fast_pattern:only; content:"beginPriv"; content:"endPriv"; distance:0; content:"trustedFunction.bind"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1042; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-admin; sid:38921; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"ANProxyAuthenticateResource"; fast_pattern:only; content:"beginPriv"; content:"endPriv"; distance:0; content:"trustedFunction.bind"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1042; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-admin; sid:38920; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader createAVView JavaScript use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"createAVView"; fast_pattern:only; content:"popUpMenuEx"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1082; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38919; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader createAVView JavaScript use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"createAVView"; fast_pattern:only; content:"popUpMenuEx"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1082; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38918; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"CBSharedReviewSecurityDialog"; fast_pattern:only; content:"beginPriv"; content:"endPriv"; distance:0; content:"trustedFunction.bind"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1038; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-admin; sid:38915; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"CBSharedReviewSecurityDialog"; fast_pattern:only; content:"beginPriv"; content:"endPriv"; distance:0; content:"trustedFunction.bind"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1038; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-admin; sid:38914; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader DisablePermEnforcement JavaScript function use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"DisablePermEnforcement"; fast_pattern:only; content:"popUpMenuEx"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1084; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38912; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader DisablePermEnforcement JavaScript function use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"DisablePermEnforcement"; fast_pattern:only; content:"popUpMenuEx"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1084; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38911; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"CBSharedReviewCloseDialog"; fast_pattern:only; content:"app.beginPriv"; content:"app.endPriv"; distance:0; content:"app.trustedFunction.bind"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1039; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-admin; sid:38910; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"CBSharedReviewCloseDialog"; fast_pattern:only; content:"app.beginPriv"; content:"app.endPriv"; distance:0; content:"app.trustedFunction.bind"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1039; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-admin; sid:38909; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader PDF execMenuItem use after free attempt"; flow:to_server,established; file_data; content:"|D1 E8 B3 C5 9C 90 88 6C D6 78 AD 96 DD 66 33 C0 CB 4C 87 6A D8 6D 56 17 30 7B 4B 0F CA 34 18 C3 04 58 BA CC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1047; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38908; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader PDF execMenuItem use after free attempt"; flow:to_client,established; file_data; content:"|D1 E8 B3 C5 9C 90 88 6C D6 78 AD 96 DD 66 33 C0 CB 4C 87 6A D8 6D 56 17 30 7B 4B 0F CA 34 18 C3 04 58 BA CC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1047; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38907; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader PDF setPageAction execMenuItem use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.execMenuItem"; nocase; content:"Close"; within:10; nocase; content:"setPageAction"; within:200; distance:-100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1050; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38906; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader PDF setAction execMenuItem use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.execMenuItem"; nocase; content:"Close"; within:10; nocase; content:"setAction"; within:200; distance:-100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1051; reference:cve,2016-1054; reference:cve,2016-1055; reference:cve,2016-1067; reference:cve,2016-1068; reference:cve,2016-1069; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38905; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader PDF onEvent execMenuItem use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.execMenuItem"; nocase; content:"Close"; within:10; nocase; content:"onEvent"; within:200; distance:-100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1056; reference:cve,2016-1057; reference:cve,2016-1058; reference:cve,2016-1059; reference:cve,2016-1060; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38904; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader PDF defineGetter execMenuItem use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.execMenuItem"; nocase; content:"Close"; within:10; nocase; content:"defineGetter"; within:200; distance:-100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1047; reference:cve,2016-1052; reference:cve,2016-1053; reference:cve,2016-1062; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38903; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader PDF setPageAction execMenuItem use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.execMenuItem"; nocase; content:"Close"; within:10; nocase; content:"setPageAction"; within:200; distance:-100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1050; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38902; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader PDF setAction execMenuItem use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.execMenuItem"; nocase; content:"Close"; within:10; nocase; content:"setAction"; within:200; distance:-100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1051; reference:cve,2016-1054; reference:cve,2016-1055; reference:cve,2016-1067; reference:cve,2016-1068; reference:cve,2016-1069; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38901; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader PDF onEvent execMenuItem use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.execMenuItem"; nocase; content:"Close"; within:10; nocase; content:"onEvent"; within:200; distance:-100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1056; reference:cve,2016-1057; reference:cve,2016-1058; reference:cve,2016-1059; reference:cve,2016-1060; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38900; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader PDF defineGetter execMenuItem use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.execMenuItem"; nocase; content:"Close"; within:10; nocase; content:"defineGetter"; within:200; distance:-100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1047; reference:cve,2016-1052; reference:cve,2016-1053; reference:cve,2016-1062; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38899; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XFA prePrint use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|78 02 A1 CB 85 01 45 99 E1 0B B8 90 2A D5 2E 29 D2 44 E8 D0 9D 1B 93 F5 7C 7F B9 5C 7A C5 8C 7A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1048; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38896; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XFA prePrint use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|78 02 A1 CB 85 01 45 99 E1 0B B8 90 2A D5 2E 29 D2 44 E8 D0 9D 1B 93 F5 7C 7F B9 5C 7A C5 8C 7A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1048; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38895; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"CBSharedReviewIfOfflineDialog"; fast_pattern:only; content:"app.beginPriv"; content:"app.endPriv"; distance:0; content:"app.trustedFunction.bind"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1044; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-admin; sid:38878; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"CBSharedReviewIfOfflineDialog"; fast_pattern:only; content:"app.beginPriv"; content:"app.endPriv"; distance:0; content:"app.trustedFunction.bind"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1044; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-admin; sid:38877; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader malformed Universal 3D stream memory corruption attempt"; flow:to_server,established; file_data; content:"|80 22 4A 1F 80 A1 BA 3F DD 3D 00 2C 3B 15 00 5C AE 0F C9 91 00 40 9D 20 01 F0 81 E3 D5 AC 01 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1037; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38960; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader malformed Universal 3D stream memory corruption attempt"; flow:to_client,established; file_data; content:"|80 22 4A 1F 80 A1 BA 3F DD 3D 00 2C 3B 15 00 5C AE 0F C9 91 00 40 9D 20 01 F0 81 E3 D5 AC 01 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1037; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38959; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|5B 6F 58 4E 1E E9 84 7B F2 43 A7 00 02 D9 9E 1A 55 63 F6 27 8D 34 6F A4 D2 77 8D 9B B3 E8 44 67|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1095; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39029; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|5B 6F 58 4E 1E E9 84 7B F2 43 A7 00 02 D9 9E 1A 55 63 F6 27 8D 34 6F A4 D2 77 8D 9B B3 E8 44 67|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1095; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39028; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<instanceManager"; fast_pattern:only; content:"<occur"; nocase; content:"<event"; nocase; content:"setInstances"; nocase; content:"moveInstance"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1045; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39018; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<instanceManager"; fast_pattern:only; content:"<occur"; nocase; content:"<event"; nocase; content:"setInstances"; nocase; content:"moveInstance"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1045; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39017; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt"; flow:to_server,established; file_data; content:"|96 BA F9 E6 27 4D 7E B3 2D 48 DD 2A 01 0F 60 6B 41 AC 60 0B 9E DF 52 8B 0C CC EE CD 28 07 28 DD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1066; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:attempted-user; sid:39016; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt"; flow:to_client,established; file_data; content:"|96 BA F9 E6 27 4D 7E B3 2D 48 DD 2A 01 0F 60 6B 41 AC 60 0B 9E DF 52 8B 0C CC EE CD 28 07 28 DD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1066; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:attempted-user; sid:39015; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt"; flow:to_server,established; file_data; content:"|AC 38 6F 15 46 CF D0 0B 8D 4B 73 6E FB 19 9A 34 6B B7 2F 3F 3D 24 78 C2 B6 2B A7 3E 4B 8A 52 35|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1077; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39014; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt"; flow:to_client,established; file_data; content:"|AC 38 6F 15 46 CF D0 0B 8D 4B 73 6E FB 19 9A 34 6B B7 2F 3F 3D 24 78 C2 B6 2B A7 3E 4B 8A 52 35|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1077; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39013; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XFA form use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"execMenuItem"; nocase; content:"Close"; within:20; nocase; content:"execMenuItem"; within:50; nocase; content:"Close"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1046; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39008; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XFA form use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"execMenuItem"; nocase; content:"Close"; within:20; nocase; content:"execMenuItem"; within:50; nocase; content:"Close"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1046; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39007; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"execAVDialog"; fast_pattern:only; content:"toString"; content:"|3A|"; within:10; content:"popUpMenuEx"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1083; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38992; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"execAVDialog"; fast_pattern:only; content:"toString"; content:"|3A|"; within:5; content:"popUpMenuEx"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1083; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38991; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt"; flow:to_client,established; file_data; content:"|97 E3 93 DD 6E 75 F9 61 7D C5 2E C6 D3 BB DD EE EE F6 FD 78 F9 FD 7E 3D 7E BD BA D9 6C 57 BB CD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1094; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38981; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt"; flow:to_server,established; file_data; content:"|97 E3 93 DD 6E 75 F9 61 7D C5 2E C6 D3 BB DD EE EE F6 FD 78 F9 FD 7E 3D 7E BD BA D9 6C 57 BB CD|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1094; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38980; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat memory corruption vulnerability attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"exportFiles(true)"; fast_pattern:only; content:"popUpMenuEx"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1081; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38978; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat memory corruption vulnerability attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"exportFiles(true)"; fast_pattern:only; content:"popUpMenuEx"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1081; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38977; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"clearGlobalSecurityStore"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1086; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-recon; sid:38976; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"clearGlobalSecurityStore"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1086; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-08.html; classtype:attempted-recon; sid:38975; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader malformed JPEG2000 image invalid NumberComponents out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"|00 00 00 0C 6A 50 20 20 0D 0A 87 0A|"; fast_pattern:only; content:"jp2h"; content:"ihdr"; within:4; distance:4; content:"|FF|"; within:1; distance:10; byte_test:2,>,16384,-3,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1078; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38967; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader malformed JPEG2000 image invalid NumberComponents out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|00 00 00 0C 6A 50 20 20 0D 0A 87 0A|"; fast_pattern:only; content:"jp2h"; content:"ihdr"; within:4; distance:4; content:"|FF|"; within:1; distance:10; byte_test:2,>,16384,-3,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1078; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:38966; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XFA API preOpen use after free attempt"; flow:to_server,established; file_data; content:"|35 93 DA FB B9 51 42 9C 9E BE 3B 66 78 43 8D 69 95 BB 07 50 8B 8A 7A 77 F1 91 08 8D EB 5C DE 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1049; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:attempted-user; sid:39062; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XFA API preOpen use after free attempt"; flow:to_client,established; file_data; content:"|35 93 DA FB B9 51 42 9C 9E BE 3B 66 78 43 8D 69 95 BB 07 50 8B 8A 7A 77 F1 91 08 8D EB 5C DE 1C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1049; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:attempted-user; sid:39061; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader getAnnots exploit attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|60 23 D1 B9 9B AA 8A C9 B0 A4 2A E1 7C AF 24 18 46 A3 DB 38 1A 8F E3 FB C1 7F 47 ED BC 00 AB 78|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,34736; reference:cve,2009-1492; classtype:attempted-user; sid:39109; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader getAnnots exploit attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|60 23 D1 B9 9B AA 8A C9 B0 A4 2A E1 7C AF 24 18 46 A3 DB 38 1A 8F E3 FB C1 7F 47 ED BC 00 AB 78|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,34736; reference:cve,2009-1492; classtype:attempted-user; sid:39108; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader Universal 3D engine out of bounds memory access violation attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"U3D|00|"; fast_pattern; content:"|14 FF FF FF|"; within:200; content:"|02 00 00 00|"; within:100; content:"|55 FF FF FF|"; content:"|5C FF FF FF|"; content:"|FF D8|"; within:100; content:"JFIF|00|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1074; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39105; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader Universal 3D engine out of bounds memory access violation attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"U3D|00|"; fast_pattern; content:"|14 FF FF FF|"; within:200; content:"|02 00 00 00|"; within:100; content:"|55 FF FF FF|"; content:"|5C FF FF FF|"; content:"|FF D8|"; within:100; content:"JFIF|00|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1074; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39104; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt"; flow:to_server,established; file_data; content:"|09 13 26 4C 99 32 65 F6 EC D9 33 67 CE 9C 3E 7D 3A 3E 4F 9A 34 69 DC B8 71 C3 39 A1 98 04 16 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1088; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:attempted-user; sid:39103; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt"; flow:to_client,established; file_data; content:"|09 13 26 4C 99 32 65 F6 EC D9 33 67 CE 9C 3E 7D 3A 3E 4F 9A 34 69 DC B8 71 C3 39 A1 98 04 16 1D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1088; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:attempted-user; sid:39102; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader Universal 3D engine out of bounds memory access violation attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"U3D|00|"; fast_pattern; content:"|14 FF FF FF|"; within:200; content:"|00 00 00 00|"; within:100; content:"|22 FF FF FF|"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1071; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39101; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader Universal 3D engine out of bounds memory access violation attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"U3D|00|"; fast_pattern; content:"|14 FF FF FF|"; within:200; content:"|00 00 00 00|"; within:100; content:"|22 FF FF FF|"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1071; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39100; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader double memory free call remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"999999999999999999999999999.5 RG"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1111; reference:url,helpx.adobe.com/security/products/flash-player/APSB16-02.html; classtype:attempted-user; sid:39099; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader double memory free call remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"999999999999999999999999999.5 RG"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1111; reference:url,helpx.adobe.com/security/products/flash-player/APSB16-02.html; classtype:attempted-user; sid:39098; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XFA API preOpen use after free attempt"; flow:to_server,established; file_data; content:"interactiveForms"; fast_pattern; content:"event"; distance:0; content:"activity"; within:200; content:"preOpen"; within:20; content:"<script"; within:200; content:".execMenuItem("; within:200; content:"close"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1049; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:attempted-user; sid:39077; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XFA API preOpen use after free attempt"; flow:to_client,established; file_data; content:"interactiveForms"; fast_pattern; content:"event"; distance:0; content:"activity"; within:200; content:"preOpen"; within:20; content:"<script"; within:200; content:".execMenuItem("; within:200; content:"close"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1049; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:attempted-user; sid:39076; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader Acroform engine memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"TextField"; nocase; content:"/Type"; within:30; nocase; content:"/Annot"; within:30; nocase; content:"|FF|"; within:200; content:"endobj"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1093; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:attempted-user; sid:39132; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader Acroform engine memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"TextField"; nocase; content:"/Type"; within:30; nocase; content:"/Annot"; within:30; nocase; content:"|FF|"; within:200; content:"endobj"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1093; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:attempted-user; sid:39131; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XObject image object use after free attempt"; flow:to_server,established; file_data; content:"|24 BF 1E 2D BF 1E 2D 17 03 05 8F 16 21 8F 16 21 8F 16 21 48 0B 11 00 00 00 00 00 00 00 00 00 A7 1A 27 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1075; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39154; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XObject image object use after free attempt"; flow:to_client,established; file_data; content:"|24 BF 1E 2D BF 1E 2D 17 03 05 8F 16 21 8F 16 21 8F 16 21 48 0B 11 00 00 00 00 00 00 00 00 00 A7 1A 27 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1075; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39153; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader U3D e3_bone object out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"stream|0A|U3D|00|"; fast_pattern; content:"|44 FF FF FF|"; distance:0; byte_extract:2,8,length,relative,little; isdataat:length,relative; content:!"|01|"; within:length; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1116; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39455; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader U3D e3_bone object out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream|0A|U3D|00|"; fast_pattern; content:"|44 FF FF FF|"; distance:0; byte_extract:2,8,length,relative,little; isdataat:length,relative; content:!"|01|"; within:length; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1116; reference:url,helpx.adobe.com/security/products/reader/apsb16-14.html; classtype:attempted-user; sid:39454; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JPEG parsing out of bounds read attempt"; flow:to_server,established; file_data; content:"|3F C8 AB E3 FF 00 16 C7 A8 B0 D2 74 DB A6 92 D6 36 3F 68 91 08 11 CC D9 18 55 E3 25 41 5C E4 9C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4192; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39570; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JPEG parsing out of bounds read attempt"; flow:to_client,established; file_data; content:"|3F C8 AB E3 FF 00 16 C7 A8 B0 D2 74 DB A6 92 D6 36 3F 68 91 08 11 CC D9 18 55 E3 25 41 5C E4 9C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4192; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39569; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader PostScript font parsing memory corruption attempt"; flow:to_server,established; file_data; content:"|B0 EF B3 AF FC 15 C6 E6 63 8B 1A 30 DF 1D AB F2 4D 4A F9 4D 9F 59 30 AC CC 8F 76 7B 36 DF 18 94|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4251; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39557; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader PostScript font parsing memory corruption attempt"; flow:to_client,established; file_data; content:"|B0 EF B3 AF FC 15 C6 E6 63 8B 1A 30 DF 1D AB F2 4D 4A F9 4D 9F 59 30 AC CC 8F 76 7B 36 DF 18 94|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4251; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39556; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader embedded TTF heap overflow attempt"; flow:to_server,established; file_data; content:"|7B 3C D5 56 00 00 5D 58 00 00 14 30 4C 54 53 48 81 2E 06 4A 00 00 05 DC 00 00 01 30 4F 53 2F 32|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4204; reference:url,helpx.adobe.com/security/products/reader/apsb16-26.html; classtype:attempted-user; sid:39547; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader embedded TTF heap overflow attempt"; flow:to_client,established; file_data; content:"|7B 3C D5 56 00 00 5D 58 00 00 14 30 4C 54 53 48 81 2E 06 4A 00 00 05 DC 00 00 01 30 4F 53 2F 32|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4204; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39546; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JPEG handling memory corruption attempt"; flow:to_server,established; file_data; content:"|0A 28 A2 80 FE 28 FF 80 0A 28 A2 80 0A 28 A2 80 0A 28 A2 80 0A 28 A2 80 0A 28 A2 80 0A 28 A2 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2016-4252; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39537; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JPEG handling memory corruption attempt"; flow:to_client,established; file_data; content:"|0A 28 A2 80 FE 28 FF 80 0A 28 A2 80 0A 28 A2 80 0A 28 A2 80 0A 28 A2 80 0A 28 A2 80 0A 28 A2 80|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4252; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39536; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader embedded TTF name record out of bounds read attempt"; flow:to_server,established; file_data; content:"|2E 7C 48 CE 24 D9 BF B9 69 F8 FF 3F 2A 6D 20 54 29 54 9D 19 A0 35 45 6B 09 F0 C5 AF 15 BE E1 76|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4203; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39535; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded TTF name record out of bounds read attempt"; flow:to_client,established; file_data; content:"|2E 7C 48 CE 24 D9 BF B9 69 F8 FF 3F 2A 6D 20 54 29 54 9D 19 A0 35 45 6B 09 F0 C5 AF 15 BE E1 76|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4203; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39534; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XSL multi-dimensional array memory corruption attempt"; flow:to_server,established; file_data; content:"%PDF-"; depth:5; content:"<xsl:template"; fast_pattern:only; content:"<xsl:stylesheet"; nocase; pcre:"/<xsl:[^>]*?(test|value|select)\s*=\s*\x5c[\x22\x27][^\x22\x27]*?\w+(\s*\x5b\s*\d+\s*\x5d){10}/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4195; reference:cve,2016-4196; reference:cve,2016-4197; reference:cve,2016-4198; reference:cve,2016-4199; reference:cve,2016-4200; reference:cve,2016-4202; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39533; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XSL multi-dimensional array memory corruption attempt"; flow:to_client,established; file_data; content:"%PDF-"; depth:5; content:"<xsl:template"; fast_pattern:only; content:"<xsl:stylesheet"; nocase; pcre:"/<xsl:[^>]*?(test|value|select)\s*=\s*\x5c[\x22\x27][^\x22\x27]*?\w+(\s*\x5b\s*\d+\s*\x5d){10}/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4195; reference:cve,2016-4196; reference:cve,2016-4197; reference:cve,2016-4198; reference:cve,2016-4199; reference:cve,2016-4200; reference:cve,2016-4202; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39532; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader submitForm SOP bypass attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/S /JavaScript"; nocase; content:".submitForm"; within:200; content:"cURL"; within:200; content:"cCharset:"; within:200; content:"|5C 5C|r"; within:200; pcre:"/cCharset\x3A\s*[\x22\x27][^\x22\x27]+?\x5C\x5Cr/sm"; metadata:service smtp; reference:cve,2016-4215; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:policy-violation; sid:39670; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader submitForm SOP bypass attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/S /JavaScript"; nocase; content:".submitForm"; within:200; content:"cURL"; within:200; content:"cCharset:"; within:200; content:"|5C 5C|r"; within:200; pcre:"/cCharset\x3A\s*[\x22\x27][^\x22\x27]+?\x5C\x5Cr/sm"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-4215; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:policy-violation; sid:39669; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt"; flow:to_server,established; file_data; content:"|D1 A4 33 1B D9 D9 FB FC 47 2D DF CA 3E 95 B3 9F 76 0E F9 F7 5A 56 88 D9 C7 CA CC 7E 39 E7 D9 56|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4206; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39644; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt"; flow:to_client,established; file_data; content:"|D1 A4 33 1B D9 D9 FB FC 47 2D DF CA 3E 95 B3 9F 76 0E F9 F7 5A 56 88 D9 C7 CA CC 7E 39 E7 D9 56|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4206; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39643; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt"; flow:to_server,established; file_data; content:"|96 02 00 08 05 52 3C 96 04 00 08 06 08 07 1C 96 02 00 08 08 4E 3C 96 02 00 08 01 1C 96 04 00 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2016-4227; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39704; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt"; flow:to_client,established; file_data; content:"|96 02 00 08 05 52 3C 96 04 00 08 06 08 07 1C 96 02 00 08 08 4E 3C 96 02 00 08 01 1C 96 04 00 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4227; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39703; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt"; flow:to_server,established; file_data; content:"|00 04 00 48 00 00 00 0E 00 08 00 02 00 06 00 22 00 2D 00 4D 00 64 00 72 00 AD FF FF 00 00 00 21|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4201; reference:url,www.adobe.com/support/security/bulletins/apsb16-26.html; classtype:attempted-user; sid:39700; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt"; flow:to_client,established; file_data; content:"|00 04 00 48 00 00 00 0E 00 08 00 02 00 06 00 22 00 2D 00 4D 00 64 00 72 00 AD FF FF 00 00 00 21|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4201; reference:url,www.adobe.com/support/security/bulletins/apsb16-26.html; classtype:attempted-user; sid:39699; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"+LucidaSansUnicode"; content:"|00 03 00 00 00 00 00 00 FF 33 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:580; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4205; reference:url,www.adobe.com/support/security/bulletins/apsb16-26.html; classtype:attempted-user; sid:39688; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"+LucidaSansUnicode"; content:"|00 03 00 00 00 00 00 00 FF 33 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:580; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4205; reference:url,www.adobe.com/support/security/bulletins/apsb16-26.html; classtype:attempted-user; sid:39687; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt"; flow:to_server,established; file_data; content:"|05 FC 06 F8 BF 15 F7 3E FB 93 FB 3E FB 93 05 0E FA 7C FB 72 FA 64 01 97 FA 64 03 FA 70 F7 9E 15|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4206; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39732; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt"; flow:to_client,established; file_data; content:"|05 FC 06 F8 BF 15 F7 3E FB 93 FB 3E FB 93 05 0E FA 7C FB 72 FA 64 01 97 FA 64 03 FA 70 F7 9E 15|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4206; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39731; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader malformed ICC profile memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|00 00 00 0C 6A 50 20 20 0D 0A 87 0A 00 00 00 14 66 74 79 70 6A 70 32|"; content:"colr|03|"; distance:0; content:"|00 00 00 10|"; within:4; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4191; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39753; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader malformed ICC profile memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|00 00 00 0C 6A 50 20 20 0D 0A 87 0A 00 00 00 14 66 74 79 70 6A 70 32|"; content:"colr|03|"; distance:0; content:"|00 00 00 10|"; within:4; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4191; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39752; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|4C C1 42 CF D0 D4 C2 40 21 24 8D 8B D3 C6 C4 D2 C8 2E 24 8B 8B D3 15 28 E9 EA 0B D4 A0 A0 00 00 26 F4 16 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-9158; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-28.html; classtype:attempted-user; sid:39799; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|4C C1 42 CF D0 D4 C2 40 21 24 8D 8B D3 C6 C4 D2 C8 2E 24 8B 8B D3 15 28 E9 EA 0B D4 A0 A0 00 00 26 F4 16 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-9158; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-28.html; classtype:attempted-user; sid:39798; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader CoolType engine FlateDecode use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|2F 54 79 70 65 20 2F 46 6F 6E 74 44 65 73 63 72 69 70 74 6F 72 20 0D 2F 46 6F 6E 74 46 69 6C 65 32 20 37 34 20 30 20 52 20 0D 2F 46 6F 6E 74 42 42 6F 78 20 5B 20 2D 36 32 38 20 2D 33 37 36 20 32 30 30 30 20 31 30 31 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4255; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39865; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader CoolType engine FlateDecode use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|2F 54 79 70 65 20 2F 46 6F 6E 74 44 65 73 63 72 69 70 74 6F 72 20 0D 2F 46 6F 6E 74 46 69 6C 65 32 20 37 34 20 30 20 52 20 0D 2F 46 6F 6E 74 42 42 6F 78 20 5B 20 2D 36 32 38 20 2D 33 37 36 20 32 30 30 30 20 31 30 31 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4255; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:39864; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat invalid embedded font memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|89 EC 56 6D 54 53 E7 1D FF 3D 37 10 10 04 03 06 88 46 C3 93 5C 03 28 21 C8 3B 22 2F 21 6F 82 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4208; reference:url,helpx.adobe.com/security/products/reader/apsb16-26.html; classtype:attempted-user; sid:39890; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat invalid embedded font memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|89 EC 56 6D 54 53 E7 1D FF 3D 37 10 10 04 03 06 88 46 C3 93 5C 03 28 21 C8 3B 22 2F 21 6F 82 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4208; reference:url,helpx.adobe.com/security/products/reader/apsb16-26.html; classtype:attempted-recon; sid:39889; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/XObject"; content:"/DeviceRGB"; within:200; distance:-100; content:"/Group"; within:200; distance:-100; content:"/Transparency"; within:200; distance:-100; content:"stream"; within:100; content:"cm"; within:100; pcre:"/XObject.+?stream\x0a?\d{9,}\.\d{4,5}(\s+\d+\.\d{4,5}){5}\s+cm/"; metadata:policy security-ips drop, service smtp; reference:cve,2014-9158; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-28.html; classtype:attempted-user; sid:39923; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/XObject"; content:"/DeviceRGB"; within:200; distance:-100; content:"/Group"; within:200; distance:-100; content:"/Transparency"; within:200; distance:-100; content:"stream"; within:100; content:"cm"; within:100; pcre:"/XObject.+?stream\x0a?\d{9,}\.\d{4,5}(\s+\d+\.\d{4,5}){5}\s+cm/"; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-9158; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-28.html; classtype:attempted-user; sid:39922; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader embedded font out of bounds memory access attempt"; flow:to_server,established; file_data; content:"|1C 78 F5 55 F8 6B D2 DF 77 34 C6 77 33 42 3C EC 43 E5 6C 0E 34 DD 60 43 96 3F EC 32 6B F5 DB 79|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4207; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:40237; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader embedded font out of bounds memory access attempt"; flow:to_client,established; file_data; content:"|1C 78 F5 55 F8 6B D2 DF 77 34 C6 77 33 42 3C EC 43 E5 6C 0E 34 DD 60 43 96 3F EC 32 6B F5 DB 79|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4207; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-26.html; classtype:attempted-user; sid:40236; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader TrueType font file numberofmetrics out of bounds read attempt"; flow:to_server,established; file_data; content:"|F9 98 88 0B 6A 25 FA 22 07 15 A8 A2 E5 96 DB 5A 6F 6D B4 76 62 17 0E C9 8F AD BB 5C 4F 07 A6 32 34 5B DF 6B 5F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6954; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40441; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader TrueType font file numberofmetrics out of bounds read attempt"; flow:to_client,established; file_data; content:"|F9 98 88 0B 6A 25 FA 22 07 15 A8 A2 E5 96 DB 5A 6F 6D B4 76 62 17 0E C9 8F AD BB 5C 4F 07 A6 32 34 5B DF 6B 5F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6954; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40440; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XSLT substring memory corruption attempt"; flow:to_server,established; file_data; content:"%PDF-"; depth:5; content:"<xsl:template"; fast_pattern:only; content:"<xsl:stylesheet"; nocase; content:"substring-after"; nocase; pcre:"/<xsl:[^>]*?(apply-templates|choose|copy-of|for-each|if|number|for-each|value-of|variable).{0,255}(select|value|test)\s*\x3d\s*\x5c?\x22substring-after\s*\x28(\s*\x27[^\x22]\x27\s*|\s*[^\x27\x22\x2c]\s*)\x29/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6959; reference:cve,2016-6960; reference:cve,2016-6966; reference:cve,2016-6973; reference:cve,2016-6974; reference:cve,2016-6975; reference:cve,2016-6976; reference:cve,2016-6977; reference:cve,2016-6978; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40437; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XSLT substring memory corruption attempt"; flow:to_client,established; file_data; content:"%PDF-"; depth:5; content:"<xsl:template"; fast_pattern:only; content:"<xsl:stylesheet"; nocase; content:"substring-after"; nocase; pcre:"/<xsl:[^>]*?(apply-templates|choose|copy-of|for-each|if|number|for-each|value-of|variable).{0,255}(select|value|test)\s*\x3d\s*\x5c?\x22substring-after\s*\x28(\s*\x27[^\x22]\x27\s*|\s*[^\x27\x22\x2c]\s*)\x29/si"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6959; reference:cve,2016-6960; reference:cve,2016-6966; reference:cve,2016-6973; reference:cve,2016-6974; reference:cve,2016-6975; reference:cve,2016-6976; reference:cve,2016-6977; reference:cve,2016-6978; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40436; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA app.setTimeOut memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.setTimeOut"; fast_pattern:only; content:"|2F|JavaScript"; content:"|2F|XFA"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,57931; reference:cve,2013-0640; reference:cve,2013-0641; reference:cve,2016-6946; reference:cve,2017-2961; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,www.adobe.com/support/security/advisories/apsa13-02.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-07.html; classtype:attempted-admin; sid:40431; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JPEG engine spurious object reference use after free attempt"; flow:to_server,established; file_data; content:"|5F DE 2D A1 08 7A CE 6D 9F 7D 0A 01 66 6E 44 3E 3E B3 9E 68 83 80 42 F1 D3 7F 23 03 F5 97 3D C9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1089; reference:url,helpx.adobe.com/security/products/reader/apsb16-26.html; classtype:attempted-user; sid:40456; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JPEG engine spurious object reference use after free attempt"; flow:to_client,established; file_data; content:"|5F DE 2D A1 08 7A CE 6D 9F 7D 0A 01 66 6E 44 3E 3E B3 9E 68 83 80 42 F1 D3 7F 23 03 F5 97 3D C9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1089; reference:url,helpx.adobe.com/security/products/reader/apsb16-26.html; classtype:attempted-user; sid:40455; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed unicode font name code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"obj"; content:"<<"; within:10; content:"R|2F FE FF|"; within:30; content:!"|00 00|"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6956; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-33.html; classtype:attempted-user; sid:40516; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed unicode font name code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"obj"; content:"<<"; within:10; content:"R|2F FE FF|"; within:30; content:!"|00 00|"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6956; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-33.html; classtype:attempted-user; sid:40515; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XSLT Transform use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"Transform"; nocase; content:"xsl:number"; within:200; nocase; content:"XMLData.parse"; distance:0; nocase; content:"nodes.item"; within:50; nocase; content:"applyXSL"; within:70; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6965; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40514; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XSLT Transform use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Transform"; nocase; content:"xsl:number"; within:200; nocase; content:"XMLData.parse"; distance:0; nocase; content:"nodes.item"; within:50; nocase; content:"applyXSL"; within:70; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6965; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40513; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XSLT Transform use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"Transform"; nocase; content:"xsl:for-each"; within:200; nocase; content:"XMLData.parse"; distance:0; nocase; content:"nodes.item"; within:50; nocase; content:"applyXSL"; within:70; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6964; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40512; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XSLT Transform use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Transform"; nocase; content:"xsl:for-each"; within:200; nocase; content:"XMLData.parse"; distance:0; nocase; content:"nodes.item"; within:50; nocase; content:"applyXSL"; within:70; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6964; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40511; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XSLT Transform use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"Transform"; nocase; content:"xsl:apply-templates"; within:200; nocase; content:"XMLData.parse"; distance:0; nocase; content:"nodes.item"; within:50; nocase; content:"applyXSL"; within:70; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6963; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40510; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XSLT Transform use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Transform"; nocase; content:"xsl:apply-templates"; within:200; nocase; content:"XMLData.parse"; distance:0; nocase; content:"nodes.item"; within:50; nocase; content:"applyXSL"; within:70; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6963; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40509; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XSLT Transform use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"Transform"; nocase; content:"xsl:choose"; within:200; nocase; content:"XMLData.parse"; distance:0; nocase; content:"nodes.item"; within:50; nocase; content:"applyXSL"; within:70; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6962; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40508; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XSLT Transform use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Transform"; nocase; content:"xsl:choose"; within:200; nocase; content:"XMLData.parse"; distance:0; nocase; content:"nodes.item"; within:50; nocase; content:"applyXSL"; within:70; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6962; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40507; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XSLT Transform use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"Transform"; nocase; content:"xsl:copy-of"; within:200; nocase; content:"XMLData.parse"; distance:0; nocase; content:"nodes.item"; within:50; nocase; content:"applyXSL"; within:70; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6961; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40506; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XSLT Transform use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Transform"; nocase; content:"xsl:copy-of"; within:200; nocase; content:"XMLData.parse"; distance:0; nocase; content:"nodes.item"; within:50; nocase; content:"applyXSL"; within:70; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6961; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40505; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA excelGroup memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction <<"; content:"/JS"; within:15; content:"xfa.template.createNode"; content:"exclGroup"; within:100; fast_pattern; content:"xfa.resolveNode"; content:"xfa.host.openList"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6950; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40576; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA excelGroup memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction <<"; content:"/JS"; within:15; content:"xfa.template.createNode"; content:"exclGroup"; within:100; fast_pattern; content:"xfa.resolveNode"; content:"xfa.host.openList"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6950; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40575; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA resolveNode memory corruption attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"/OpenAction <<"; content:"/JS"; within:15; content:"xfa.resolveNode"; fast_pattern:only; content:"xfa.template"; content:".append"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6951; reference:cve,2017-2967; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40574; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA resolveNode memory corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"/OpenAction <<"; content:"/JS"; within:15; content:"xfa.resolveNode"; fast_pattern:only; content:"xfa.template"; content:".append"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6951; reference:cve,2017-2967; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40573; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader corrupt bookmark use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|9B A2 D8 9F CF E5 F3 97 E3 E3 8C 69 4E 10 41 63 9A 53 44 29 05 C0 10 4D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1091; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40572; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader corrupt bookmark use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|9B A2 D8 9F CF E5 F3 97 E3 E3 8C 69 4E 10 41 63 9A 53 44 29 05 C0 10 4D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1091; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40571; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA relayoutPageArea memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction <<"; content:"/JS"; within:15; content:"xfa.layout.relayoutPageArea"; fast_pattern:only; content:"xfa.resolveNode"; content:"xfa.host.openList"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6952; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40570; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA relayoutPageArea memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction <<"; content:"/JS"; within:15; content:"xfa.layout.relayoutPageArea"; fast_pattern:only; content:"xfa.resolveNode"; content:"xfa.host.openList"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6952; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40569; rev:2;)
alert tcp $SMTP_SERVERS any -> $HOME_NET 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed object stream memory corruption attempt"; flow:to_server,established; file_data; content:"|68 DE BC 94 DD 6E DB 36 14 C7 9F 60 EF C0 CB 16 43 F6 97 44 7D D0 40 11 C0 76 E3 D6 5B 9C A4 51|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6948; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40558; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed object stream memory corruption attempt"; flow:to_client,established; file_data; content:"|68 DE BC 94 DD 6E DB 36 14 C7 9F 60 EF C0 CB 16 43 F6 97 44 7D D0 40 11 C0 76 E3 D6 5B 9C A4 51|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6948; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40557; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JavaScript API privileged function bypass attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"beginPriv"; content:"__proto__"; within:150; content:"="; within:10; content:"beginPriv"; within:500; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6957; reference:cve,2016-6958; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40547; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JavaScript API privileged function bypass attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"beginPriv"; content:"__proto__"; within:150; content:"="; within:10; content:"beginPriv"; within:500; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6957; reference:cve,2016-6958; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40546; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XFA remerge JavaScript use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction"; content:"xfa.form.resolveNode"; distance:0; content:"rawValue"; content:"setTimeOut"; content:"xfa.form.resolveNode"; distance:0; content:"xfa.form.remerge"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6988; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40578; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XFA remerge JavaScript use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction"; content:"xfa.form.resolveNode"; distance:0; content:"rawValue"; content:"setTimeOut"; content:"xfa.form.resolveNode"; distance:0; content:"xfa.form.remerge"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6988; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40577; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XFA exclGroup JavaScript out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/AcroForm"; content:"xfa.xdc.resolveNode"; distance:0; content:"xfa.form.resolveNode"; distance:0; content:"xfa.form.outerform.exclGroup.field"; within:40; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6942; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40603; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XFA exclGroup JavaScript out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/AcroForm"; content:"xfa.xdc.resolveNode"; distance:0; content:"xfa.form.resolveNode"; distance:0; content:"xfa.form.outerform.exclGroup.field"; within:40; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6942; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40602; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XLST parsing engine use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"XMLData.parse"; nocase; content:"nodes.item"; distance:0; nocase; content:"app.alert"; distance:0; nocase; content:".applyXSL"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6979; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-33.html; classtype:attempted-user; sid:40588; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XLST parsing engine use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"XMLData.parse"; nocase; content:"nodes.item"; distance:0; nocase; content:"app.alert"; distance:0; nocase; content:".applyXSL"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6979; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-33.html; classtype:attempted-user; sid:40587; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader SaveAs use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"console.show"; content:"setAction"; within:100; content:"WillSave"; within:25; content:"execMenuItem"; within:50; content:"SaveAs"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6945; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40586; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader SaveAs use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"console.show"; content:"setAction"; within:100; content:"WillSave"; within:25; content:"execMenuItem"; within:50; content:"SaveAs"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6945; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40585; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA addInstance use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction <<"; content:"/JS"; within:15; content:"instanceManager.removeInstance"; content:"xfa.form"; within:200; content:"instanceManager.addInstance"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6953; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40640; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA addInstance use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction <<"; content:"/JS"; within:15; content:"instanceManager.removeInstance"; content:"xfa.form"; within:200; content:"instanceManager.addInstance"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6953; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40639; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XML Metadata memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"PDF-1.5|0D|"; content:"<</AcroForm 54"; content:"<</Linearized 1"; fast_pattern:only; content:"/L "; depth:50; byte_test:10,>=,300000,0,relative,big,string,dec; content:"/O "; within:15; byte_test:10,>=,30,0,relative,big,string,dec; content:"/N "; within:30; byte_test:10,<=,5,0,relative,big,string,dec; content:"<</Filter/FlateDecode/Length "; nocase; byte_test:10,>=,10000,0,relative,big,string,dec; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6943; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40619; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XML Metadata memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"PDF-1.5|0D|"; content:"<</AcroForm 54"; content:"<</Linearized 1"; fast_pattern:only; content:"/L "; depth:50; byte_test:10,>=,300000,0,relative,big,string,dec; content:"/O "; within:15; byte_test:10,>=,30,0,relative,big,string,dec; content:"/N "; within:30; byte_test:10,<=,5,0,relative,big,string,dec; content:"<</Filter/FlateDecode/Length "; nocase; byte_test:10,>=,10000,0,relative,big,string,dec; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6943; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40618; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JavaScript use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"JavaScript"; fast_pattern:only; content:"/JS"; content:"console.show()"; content:"function "; within:50; content:"search.query"; within:100; pcre:"/function (?P<badFunc>[\w\x20\x2c\x28\x29]+)\s*{.*search.query\x28\x22\w+\x22\x29\x3B.+(?P=badFunc)/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6944; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40708; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JavaScript use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"JavaScript"; fast_pattern:only; content:"/JS"; content:"console.show()"; content:"function "; within:50; content:"search.query"; within:100; pcre:"/function (?P<badFunc>[\w\x20\x2c\x28\x29]+)\s*{.*search.query\x28\x22\w+\x22\x29\x3B.+(?P=badFunc)/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6944; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40707; rev:1;)
# alert tcp $SMTP_SERVERS any -> $HOME_NET 25 (msg:"FILE-PDF Adobe Reader MakeAccessible plugin heap overflow attempt"; flow:to_server,established; file_data; content:"|04 BF CB EB 1A 8D 07 F7 01 32 DE FB 0B FB 0F 4A 52 2E 4E 1E B2 71 05 DF C5 C5 B9 E4 1B DF D5 50|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6939; reference:url,helpx.adobe.com/security/products/reader/aspb16-33.html; classtype:attempted-admin; sid:40700; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader MakeAccessible plugin heap overflow attempt"; flow:to_client,established; file_data; content:"|04 BF CB EB 1A 8D 07 F7 01 32 DE FB 0B FB 0F 4A 52 2E 4E 1E B2 71 05 DF C5 C5 B9 E4 1B DF D5 50|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6939; reference:url,helpx.adobe.com/security/products/reader/aspb16-33.html; classtype:attempted-admin; sid:40699; rev:2;)
# alert tcp $SMTP_SERVERS any -> $HOME_NET 25 (msg:"FILE-PDF Adobe Reader MakeAccessible plugin heap overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|4D 1B 43 51 33 9E C7 5C 1C 73 5A 59 86 5D C2 20 EE CC B0 B6 8D 6E A3 D3 88 37 7A 64 22 2C 48 85|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6939; reference:url,helpx.adobe.com/security/products/reader/aspb16-33.html; classtype:attempted-admin; sid:40698; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader MakeAccessible plugin heap overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|4D 1B 43 51 33 9E C7 5C 1C 73 5A 59 86 5D C2 20 EE CC B0 B6 8D 6E A3 D3 88 37 7A 64 22 2C 48 85|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6939; reference:url,helpx.adobe.com/security/products/reader/aspb16-33.html; classtype:attempted-admin; sid:40697; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader parser object use-after-free attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"|ED B7 D5 9F 0F 9F 3E 90 4D BF FF BE FE F0 40 B3 D5 C3 93 4D 59 83 1B FC 8F 9A AC 9C AD FE 86 5B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6949; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-admin; sid:40696; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader parser object use-after-free attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|ED B7 D5 9F 0F 9F 3E 90 4D BF FF BE FE F0 40 B3 D5 C3 93 4D 59 83 1B FC 8F 9A AC 9C AD FE 86 5B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6949; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-admin; sid:40695; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XFA relayoutPageArea JavaScript out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/AcroForm"; content:"xfa.form.resolveNode"; content:"oneOfChild"; content:"xfa.layout.relayoutPageArea"; content:"setTimeOut"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6947; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40642; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XFA relayoutPageArea JavaScript out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/AcroForm"; content:"xfa.form.resolveNode"; content:"oneOfChild"; content:"xfa.layout.relayoutPageArea"; content:"setTimeOut"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6947; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40641; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Acrobat Reader Open Cascade Library memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|FF 4B E0 28 0B 92 65 65 F5 F5 05 24 35 F5 24 55 34 55 25 64 54 45 F4 15 45 45 24 94 25 55 44 55|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6940; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40779; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Acrobat Reader Open Cascade Library memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|FF 4B E0 28 0B 92 65 65 F5 F5 05 24 35 F5 24 55 34 55 25 64 54 45 F4 15 45 45 24 94 25 55 44 55|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6940; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40778; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JavaScript recursive calls memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JS"; content:"function"; within:100; content:"var"; within:100; content:"eval|28|"; within:100; fast_pattern; content:"try"; within:100; content:"eval|28|"; within:100; content:"catch"; within:100; content:"eval|28|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-6970; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40826; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JavaScript recursive calls memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JS"; content:"function"; within:100; content:"var"; within:100; content:"eval|28|"; within:100; fast_pattern; content:"try"; within:100; content:"eval|28|"; within:100; content:"catch"; within:100; content:"eval|28|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6970; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-user; sid:40825; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"xsl:attribute"; nocase; content:"name"; within:50; content:"|22|"; within:10; pcre:"/xsl\x3aattribute[^>]*name\s*=\s*\x22([a-z]+&#x|(&#x[1-9a-f][0-9a-f]{4,}\x3b)+[^\s\x22&])/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2948; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41194; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"xsl:attribute"; nocase; content:"name"; within:50; content:"|22|"; within:10; pcre:"/xsl\x3aattribute[^>]*name\s*=\s*\x22([a-z]+&#x|(&#x[1-9a-f][0-9a-f]{4,}\x3b)+[^\s\x22&])/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2948; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41193; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<xsl:stylesheet"; nocase; content:"Transform"; within:50; nocase; content:"<xsl:template"; within:50; nocase; content:"&#x"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2949; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41164; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XSL stylesheet heap overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<xsl:stylesheet"; nocase; content:"Transform"; within:50; nocase; content:"<xsl:template"; within:50; nocase; content:"&#x"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2949; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41163; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt"; flow:to_server,established; file_data; content:"|00 44 44 00 44 0F 00 44 44 00 44 00 00 44 44 00 44 00 00 48 02 00 01 00 04 00 07 00 3B 00 80 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2941; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-admin; sid:41155; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt"; flow:to_client,established; file_data; content:"|00 44 44 00 44 0F 00 44 44 00 44 00 00 44 44 00 44 00 00 48 02 00 01 00 04 00 07 00 3B 00 80 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2941; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-admin; sid:41154; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt"; flow:to_server,established; file_data; content:"%FDF"; depth:4; content:"<</FDF<</Annots"; fast_pattern:only; content:"/S /JavaScript"; content:"/JS"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2947; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41153; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt"; flow:to_client,established; file_data; content:"%FDF"; depth:4; content:"<</FDF<</Annots"; fast_pattern:only; content:"/S /JavaScript"; content:"/JS"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2947; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41152; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JavaScript navigation pane use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/S /JavaScript"; fast_pattern:only; content:"/JS"; content:".pane"; within:900; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2956; reference:cve,2017-2957; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41151; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JavaScript navigation pane use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/S /JavaScript"; fast_pattern:only; content:"/JS"; content:".pane"; within:900; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2956; reference:cve,2017-2957; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41150; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat animateSyncButton use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"Collab"; nocase; content:"animateSyncButton"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2955; reference:cve,2017-2958; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41143; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat animateSyncButton use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Collab"; nocase; content:"animateSyncButton"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2955; reference:cve,2017-2958; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41142; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XSL type confusion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"xsl|3A|template match="; content:"xsl|3A|for-each select="; content:"node|28|"; within:5; distance:1; content:"xsl|3A|copy-of select="; content:"lang|28|"; within:5; distance:1; metadata:service smtp; reference:cve,2017-2962; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41205; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XSL type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"xsl|3A|template match="; content:"xsl|3A|for-each select="; content:"node|28|"; within:5; distance:1; content:"xsl|3A|copy-of select="; content:"lang|28|"; within:5; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2962; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41204; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat XFA Engine use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<pageset"; nocase; content:"<pagearea"; distance:0; nocase; content:"<contentArea"; distance:0; nocase; content:"</pagearea"; distance:0; nocase; content:"</pageset"; distance:0; nocase; content:"<draw"; distance:0; nocase; content:"</draw>"; distance:0; nocase; content:"<subform"; distance:0; nocase; content:"</subform"; distance:0; nocase; content:"<draw"; distance:0; nocase; content:"</draw>"; distance:0; nocase; content:"<subform"; distance:0; nocase; content:"</subform"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2950; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41326; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat XFA Engine use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<pageset"; nocase; content:"<pagearea"; distance:0; nocase; content:"<contentArea"; distance:0; nocase; content:"</pagearea"; distance:0; nocase; content:"</pageset"; distance:0; nocase; content:"<draw"; distance:0; nocase; content:"</draw>"; distance:0; nocase; content:"<subform"; distance:0; nocase; content:"</subform"; distance:0; nocase; content:"<draw"; distance:0; nocase; content:"</draw>"; distance:0; nocase; content:"<subform"; distance:0; nocase; content:"</subform"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2950; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41325; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JPEG 2000 COD marker use after free attempt"; flow:to_server, established; file_data; content:"|FF 52 00 0C 00 01 00 01 01 0D 04 04 00 00 FF 64 00 0F 00 01 4C 57 46 5F 4A 50 32 5F 32 31 30 FF 90|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-6955; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-admin; sid:41324; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JPEG 2000 COD marker use after free attempt"; flow:to_client, established; file_data; content:"|FF 52 00 0C 00 01 00 01 01 0D 04 04 00 00 FF 64 00 0F 00 01 4C 57 46 5F 4A 50 32 5F 32 31 30 FF 90|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6955; reference:url,helpx.adobe.com/security/products/reader/apsb16-33.html; classtype:attempted-admin; sid:41323; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Pro zoom caching use after free attempt"; flow:to_server, established; file_data; content:"|68 DE 62 60 60 60 63 60 60 F6 61 60 65 60 50 B8 C7 20 C2 80 00 22 40 31 36 06 16 06 8E 93 1C 0E 5D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-6971; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-33.html; classtype:attempted-admin; sid:41322; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Pro zoom caching use after free attempt"; flow:to_client, established; file_data; content:"|68 DE 62 60 60 60 63 60 60 F6 61 60 65 60 50 B8 C7 20 C2 80 00 22 40 31 36 06 16 06 8E 93 1C 0E 5D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-6971; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-33.html; classtype:attempted-admin; sid:41321; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader cross reference table memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|01 4E 20 1E 5F BD 5F 96 7D A5 4A E2 2A 5C 6E A8 39 0A 1E B7 39 6A 47 7D BC 8D 22 48 05 8A 91 17|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-2939; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41320; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader cross reference table memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|01 4E 20 1E 5F BD 5F 96 7D A5 4A E2 2A 5C 6E A8 39 0A 1E B7 39 6A 47 7D BC 8D 22 48 05 8A 91 17|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-2939; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; classtype:attempted-user; sid:41319; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader APP13 heap overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|07 73 6C 69 63 65 49 44 6C 6F 6E 67 00 00 00 00 00 00 00 07 67 72 6F 75 70 49 44 EA 6F 6E 67 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-2946; reference:url,helpx.adobe.com/security/products/reader/apsb17-01.html; classtype:attempted-user; sid:41330; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader APP13 heap overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|07 73 6C 69 63 65 49 44 6C 6F 6E 67 00 00 00 00 00 00 00 07 67 72 6F 75 70 49 44 EA 6F 6E 67 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-2946; reference:url,helpx.adobe.com/security/products/reader/apsb17-01.html; classtype:attempted-user; sid:41329; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt"; flow:to_server,established; file_data; content:"<subform"; content:!"Set"; within:3; content:!"</subform>"; within:300; content:"<subformSet"; within:200; fast_pattern; content:"<subform"; within:100; content:!"Set"; within:3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2951; reference:cve,2017-3034; reference:cve,2017-3120; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:41400; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt"; flow:to_client,established; file_data; content:"<subform"; content:!"Set"; within:3; content:!"</subform>"; within:300; content:"<subformSet"; within:200; fast_pattern; content:"<subform"; within:100; content:!"Set"; within:3; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2951; reference:cve,2017-3034; reference:cve,2017-3120; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-01.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:41399; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader image cache use after free attempt"; flow:to_server,established; file_data; content:"|57 8C C2 BB 7A 16 D3 02 56 BD 19 3F F8 CF CB B8 6E 7B 5B 6B 63 43 99 19 87 42 FB 86 14 4A CE E8|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-0528; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-user; sid:41417; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader image cache use after free attempt"; flow:to_client,established; file_data; content:"|57 8C C2 BB 7A 16 D3 02 56 BD 19 3F F8 CF CB B8 6E 7B 5B 6B 63 43 99 19 87 42 FB 86 14 4A CE E8|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-0528; reference:url,helpx.adobe.com/security/products/reader/apsb14-15.html; classtype:attempted-user; sid:41416; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader setPersistent use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; nocase; content:"global"; distance:0; nocase; content:"defineGetter"; within:50; nocase; content:"delete"; within:500; nocase; content:"global"; within:30; nocase; content:"setPersistent"; fast_pattern; nocase; content:"true"; within:50; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,80358; reference:cve,2016-1061; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:attempted-user; sid:41514; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader setPersistent use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; nocase; content:"global"; distance:0; nocase; content:"defineGetter"; within:50; nocase; content:"delete"; within:500; nocase; content:"global"; within:30; nocase; content:"setPersistent"; fast_pattern; nocase; content:"true"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,80358; reference:cve,2016-1061; reference:url,helpx.adobe.com/security/products/acrobat/apsb16-14.html; classtype:attempted-user; sid:41513; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Iceni Argus ipStringCreate integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"899308B9099D29CBD>]/Index[37 16]/Info 36"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2777; reference:url,www.talosintelligence.com/reports/TALOS-2017-0271; classtype:attempted-user; sid:41328; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Iceni Argus ipStringCreate integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"899308B9099D29CBD>]/Index[37 16]/Info 36"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2777; reference:url,www.talosintelligence.com/reports/TALOS-2017-0271; classtype:attempted-user; sid:41327; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Iceni Argus PDF TextToPolys rasterization code execution vulnerability attempt"; flow:to_server,established; file_data; content:"|95 91 42 60 2B E4 F5 63 7A CB C4 67 35 52 41 4C 15 51 CD DC 21 BE BD 91 0A B7 DF 73 E7 9E FB FC|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8389; reference:url,www.talosintelligence.com/reports/TALOS-2016-0214; classtype:attempted-user; sid:40926; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Iceni Argus PDF TextToPolys rasterization code execution vulnerability attempt"; flow:to_client,established; file_data; content:"|95 91 42 60 2B E4 F5 63 7A CB C4 67 35 52 41 4C 15 51 CD DC 21 BE BD 91 0A B7 DF 73 E7 9E FB FC|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8389; reference:url,www.talosintelligence.com/reports/TALOS-2016-0214; classtype:attempted-user; sid:40925; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Iceni Argus PDF font-encoding glyphmap adjustment code execution vulnerability attempt"; flow:to_server,established; file_data; content:"|DD 77 33 EB BB 5B D1 FE 14 A9 6A 1B 86 F5 D7 DB EF 3A ED AE 88 0D 7C FA 48 90 E3 30 A1 31 C9 B3|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8388; reference:url,www.talosintelligence.com/reports/TALOS-2016-0213; classtype:attempted-user; sid:40924; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Iceni Argus PDF font-encoding glyphmap adjustment code execution vulnerability attempt"; flow:to_client,established; file_data; content:"|DD 77 33 EB BB 5B D1 FE 14 A9 6A 1B 86 F5 D7 DB EF 3A ED AE 88 0D 7C FA 48 90 E3 30 A1 31 C9 B3|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8388; reference:url,www.talosintelligence.com/reports/TALOS-2016-0213; classtype:attempted-user; sid:40923; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Iceni Argus loadLZWBuffer out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-"; depth:5; content:"/LZWDecode"; fast_pattern; content:"/Length"; within:150; byte_extract:10,0,len_ref,relative,string,dec; content:" 0 R"; within:5; content:"|0A|stream|0A|"; within:25; content:"|0A|endstream|0A|endobj|0A|"; within:250; byte_test:10,=,len_ref,0,relative,string,dec; content:" 0 obj"; within:10; byte_test:10,>,10000,0,relative,string,dec; content:"|0A|endobj"; within:20; metadata:service smtp; reference:cve,2016-8387; reference:url,www.talosintelligence.com/reports/TALOS-2016-0212; classtype:attempted-user; sid:40922; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Iceni Argus loadLZWBuffer out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-"; depth:5; content:"/LZWDecode"; fast_pattern; content:"/Length"; within:150; byte_extract:10,0,len_ref,relative,string,dec; content:" 0 R"; within:5; content:"|0A|stream|0A|"; within:25; content:"|0A|endstream|0A|endobj|0A|"; within:250; byte_test:10,=,len_ref,0,relative,string,dec; content:" 0 obj"; within:10; byte_test:10,>,10000,0,relative,string,dec; content:"|0A|endobj"; within:20; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-8387; reference:url,www.talosintelligence.com/reports/TALOS-2016-0212; classtype:attempted-user; sid:40921; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Iceni ArgusPDF convertor malformed embedded TTF file cmap table memory corruption attempt"; flow:to_server,established; file_data; content:"|25 5F 41 00 7A CB AE B2 83 EC 28 E3 C5 56 D9 53 26 C8 DE B2 97 31 4F 76 A3 93 74 4A F6 20 93 E6 88|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8386; reference:url,www.talosintelligence.com/reports/TALOS-2016-0211; classtype:attempted-user; sid:40920; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Iceni ArgusPDF convertor malformed embedded TTF file cmap table memory corruption attempt"; flow:to_client,established; file_data; content:"|25 5F 41 00 7A CB AE B2 83 EC 28 E3 C5 56 D9 53 26 C8 DE B2 97 31 4F 76 A3 93 74 4A F6 20 93 E6 88|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8386; reference:url,www.talosintelligence.com/reports/TALOS-2016-0211; classtype:attempted-user; sid:40919; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Iceni Argus PDF uninitialized WordStyle color length code overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"BT|0A|"; content:"|20|rg|0A|"; within:200; fast_pattern; content:"/Content"; content:"/MCID"; within:100; pcre:"/(([0-9]+\x20[0-9]+\x20[A-Za-z])|([0-9]+\x20[A-Za-z]\x20[0-9]+)|([A-Za-z]\x20[0-9]+\x20[0-9]+))\x20rg\x0a/sm"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8385; reference:url,www.talosintelligence.com/reports/TALOS-2016-0210/; classtype:attempted-user; sid:40918; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Iceni Argus PDF uninitialized WordStyle color length code overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"BT|0A|"; content:"|20|rg|0A|"; within:200; fast_pattern; content:"/Content"; content:"/MCID"; within:100; pcre:"/(([0-9]+\x20[0-9]+\x20[A-Za-z])|([0-9]+\x20[A-Za-z]\x20[0-9]+)|([A-Za-z]\x20[0-9]+\x20[0-9]+))\x20rg\x0a/sm"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8385; reference:url,www.talosintelligence.com/reports/TALOS-2016-0210/; classtype:attempted-user; sid:40917; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Iceni Argus icnChainAlloc heap corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"trailer"; fast_pattern; content:"/Size"; within:50; byte_test:10,>=,0x2aaaab,0,relative,string; metadata:service smtp; reference:cve,2016-8715; reference:url,www.talosintelligence.com/reports/TALOS-2016-0228; classtype:attempted-user; sid:40875; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Iceni Argus icnChainAlloc heap corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"trailer"; fast_pattern; content:"/Size"; within:50; byte_test:10,>=,0x2aaaab,0,relative,string; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-8715; reference:url,www.talosintelligence.com/reports/TALOS-2016-0228; classtype:attempted-user; sid:40874; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Iceni Argus loadTrailer heap corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"trailer"; fast_pattern; content:"/Size"; within:50; content:"-"; within:10; pcre:"/trailer.{0,50}\x2fSize\s+?\x2d\d+?/smi"; metadata:service smtp; reference:cve,2016-8715; reference:url,www.talosintelligence.com/reports/TALOS-2016-0228; classtype:attempted-user; sid:40873; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Iceni Argus loadTrailer heap corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"trailer"; fast_pattern; content:"/Size"; within:50; content:"-"; within:10; pcre:"/trailer.{0,50}\x2fSize\s+?\x2d\d+?/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-8715; reference:url,www.talosintelligence.com/reports/TALOS-2016-0228; classtype:attempted-user; sid:40872; rev:2;)
alert tcp $SMTP_SERVERS any -> $HOME_NET 25 (msg:"FILE-PDF Nitro Pro out of bounds memory write attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Type"; content:"/Pages"; within:10; content:"/Parent/Kids["; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8709; reference:url,www.talosintelligence.com/reports/TALOS-2016-0218; classtype:attempted-user; sid:40777; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Nitro Pro out of bounds memory write attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Type"; content:"/Pages"; within:10; content:"/Parent/Kids["; within:15; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8709; reference:url,www.talosintelligence.com/reports/TALOS-2016-0218; classtype:attempted-user; sid:40776; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Oracle Outside In Technology remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Index"; fast_pattern:only; pcre:"/\x2FIndex\s*?\x5b[\d\s\x3d\x00]*?[^\d\s\x5d\x3d\x00]/i"; metadata:service smtp; reference:cve,2017-3271; reference:url,www.talosintelligence.com/reports/TALOS-2016-0198; classtype:attempted-admin; sid:40774; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Oracle Outside In Technology remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Index"; fast_pattern:only; pcre:"/\x2FIndex\s*?\x5b[\d\s\x3d\x00]*?[^\d\s\x5d\x3d\x00]/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3271; reference:url,www.talosintelligence.com/reports/TALOS-2016-0198; classtype:attempted-admin; sid:40773; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Nitro Pro PDF Font Widths tag out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-"; depth:5; content:"/Font/Widths["; fast_pattern:only; pcre:"/\x2FFont\x2FWidths\x5B[^\x5D\x00]*?\x2F\w/"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8711; reference:url,www.talosintelligence.com/reports/TALOS-2016-0224; classtype:attempted-user; sid:40757; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Nitro Pro PDF Font Widths tag out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-"; depth:5; content:"/Font/Widths["; fast_pattern:only; pcre:"/\x2FFont\x2FWidths\x5B[^\x5D\x00]*?\x2F\w/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8711; reference:url,www.talosintelligence.com/reports/TALOS-2016-0224; classtype:attempted-user; sid:40756; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Iceni Argus ipNameAdd stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Catalog"; content:"stream"; within:75; isdataat:256,relative; content:!"endstream"; within:256; content:!"/Adobe.PPK"; nocase; pcre:"/\x2fCatalog\s[^\x3e\x3c]*?\x3e\x3e\s*stream\s+[\x21-\x7e]{256}/"; metadata:service smtp; reference:cve,2016-8335; reference:url,www.talosintelligence.com/reports/TALOS-2016-0202; classtype:attempted-admin; sid:40487; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Iceni Argus ipNameAdd stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Catalog"; isdataat:256,relative; content:!">>"; within:256; content:!"/Adobe.PPK"; nocase; pcre:"/\x2fCatalog\s[^\x3e\x3c]*?[\x21-\x2e\x30-\x7e]{256}/"; metadata:service smtp; reference:cve,2016-8335; reference:url,www.talosintelligence.com/reports/TALOS-2016-0202; classtype:attempted-admin; sid:40486; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Iceni Argus ipNameAdd stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Catalog"; content:"stream"; within:75; isdataat:256,relative; content:!"endstream"; within:256; content:!"/Adobe.PPK"; nocase; pcre:"/\x2fCatalog\s[^\x3e\x3c]*?\x3e\x3e\s*stream\s+[\x21-\x7e]{256}/"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-8335; reference:url,www.talosintelligence.com/reports/TALOS-2016-0202; classtype:attempted-admin; sid:40485; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Iceni Argus ipNameAdd stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Catalog"; isdataat:256,relative; content:!">>"; within:256; content:!"/Adobe.PPK"; nocase; pcre:"/\x2fCatalog\s[^\x3e\x3c]*?[\x21-\x2e\x30-\x7e]{256}/"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-8335; reference:url,www.talosintelligence.com/reports/TALOS-2016-0202; classtype:attempted-admin; sid:40484; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Foxit PDF Reader JBIG2 parser out of bounds read attempt"; flow:to_server,established; file_data; content:"stream|0A 00 00 00 02 00 00 00 00 00 00 09 0A 00 00 00 00 00 00 00 00 00 00 00 03 00 20 02 00 00 00 00 11 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8334; reference:url,www.talosintelligence.com/reports/TALOS-2016-0201; classtype:attempted-recon; sid:40430; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Foxit PDF Reader JBIG2 parser out of bounds read attempt"; flow:to_client,established; file_data; content:"stream|0A 00 00 00 02 00 00 00 00 00 00 09 0A 00 00 00 00 00 00 00 00 00 00 00 03 00 20 02 00 00 00 00 11 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8334; reference:url,www.talosintelligence.com/reports/TALOS-2016-0201; classtype:attempted-recon; sid:40429; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Iceni Argus ipfSetColourStroke stack buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|0A|/CS0|20|"; fast_pattern; nocase; content:"CS|0A|"; within:15; nocase; content:"stream"; within:100; distance:-100; pcre:"/^\x2fCS0\s+CS\s+([0-9\x2e\x2d]+\s+){10}/im"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8333; reference:url,www.talosintelligence.com/reports/TALOS-2016-0200/; classtype:attempted-user; sid:40337; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Iceni Argus ipfSetColourStroke stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|0A|/CS0|20|"; fast_pattern; nocase; content:"CS|0A|"; within:15; nocase; content:"stream"; within:100; distance:-100; pcre:"/^\x2fCS0\s+CS\s+([0-9\x2e\x2d]+\s+){10}/im"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8333; reference:url,www.talosintelligence.com/reports/TALOS-2016-0200/; classtype:attempted-user; sid:40336; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Google Chrome PDFium jpeg2000 SIZ segment check failure heap buffer overflow attempt"; flow:to_server,established; file_data; content:"%PDF-"; depth:5; content:"jp2c|FF 4F FF 51|"; content:"|00 00|"; within:2; distance:36; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-1681; reference:url,www.talosintelligence.com/reports/TALOS-2016-0174/; classtype:attempted-user; sid:39162; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Google Chrome PDFium jpeg2000 SIZ segment check failure heap buffer overflow attempt"; flow:to_client,established; file_data; content:"%PDF-"; depth:5; content:"jp2c|FF 4F FF 51|"; content:"|00 00|"; within:2; distance:36; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-1681; reference:url,www.talosintelligence.com/reports/TALOS-2016-0174/; classtype:attempted-user; sid:39161; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Oracle Outside In libvs_pdf Root xref stack exhaustion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-"; depth:5; content:"/Root"; fast_pattern; content:" R"; within:15; content:"%%EOF"; isdataat:!2,relative; content:!"/Catalog"; content:!"/ObjStm"; content:!"/Linearized"; metadata:service smtp; reference:cve,2016-3577; reference:url,www.talosintelligence.com/reports/TALOS-2016-0099; classtype:attempted-user; sid:38343; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Oracle Outside In libvs_pdf Root xref stack exhaustion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-"; depth:5; content:"/Root"; fast_pattern; content:" R"; within:15; content:"%%EOF"; isdataat:!2,relative; content:!"/Catalog"; content:!"/ObjStm"; content:!"/Linearized"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3577; reference:url,www.talosintelligence.com/reports/TALOS-2016-0099; classtype:attempted-user; sid:38342; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Oracle IOT IX SDK libvs_pdf null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-"; depth:5; content:"/GS1 gs|0D|0 Tc|0D|0 Tw|0D 28|Results|29|Tj|0D|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-3576; reference:url,www.talosintelligence.com/reports/TALOS-2016-0098; classtype:attempted-user; sid:38290; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Oracle IOT IX SDK libvs_pdf null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-"; depth:5; content:"/GS1 gs|0D|0 Tc|0D|0 Tw|0D 28|Results|29|Tj|0D|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3576; reference:url,www.talosintelligence.com/reports/TALOS-2016-0098; classtype:attempted-user; sid:38289; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Oracle Outside In libvs_pdf integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-"; depth:5; content:"/Kids"; content:!"["; within:10; pcre:"/\x2fKids\s*[^\s]{8}/i"; metadata:service smtp; reference:cve,2016-3574; reference:url,www.talosintelligence.com/reports/TALOS-2016-0096; classtype:attempted-user; sid:37869; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Oracle Outside In libvs_pdf integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-"; depth:5; content:"/Kids"; content:!"["; within:10; pcre:"/\x2fKids\s*[^\s]{8}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3574; reference:url,www.talosintelligence.com/reports/TALOS-2016-0096; classtype:attempted-user; sid:37868; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Oracle Outside In libvs_pdf arbitrary pointer access attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-"; depth:5; content:"/Type "; content:!"/"; within:25; pcre:"/\x2fType\s+\d/i"; metadata:service smtp; reference:cve,2016-3579; reference:url,www.talosintelligence.com/reports/TALOS-2016-0101; classtype:attempted-recon; sid:37867; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Oracle Outside In libvs_pdf arbitrary pointer access attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-"; depth:5; content:"/Type "; content:!"/"; within:25; pcre:"/\x2fType\s+\d/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3579; reference:url,www.talosintelligence.com/reports/TALOS-2016-0101; classtype:attempted-recon; sid:37866; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Oracle Outside In libvs_pdf xref offset out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"xref"; content:"|20|n|0D 0D 0A|"; within:256; byte_test:10,>,0x07FFFFFE,0,relative,string,dec; metadata:service smtp; reference:cve,2016-3580; reference:url,www.talosintelligence.com/reports/TALOS-2016-0102; classtype:attempted-user; sid:37865; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Oracle Outside In libvs_pdf xref offset out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"xref"; content:"|20|n|0D 0D 0A|"; within:256; byte_test:10,>,0x07FFFFFE,0,relative,string,dec; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3580; reference:url,www.talosintelligence.com/reports/TALOS-2016-0102; classtype:attempted-user; sid:37864; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Oracle Outside In libvs_pdf integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"trailer"; content:"/Size"; within:100; nocase; byte_test:10,>,0x7FFFFFFF,1,relative,string,dec; metadata:service smtp; reference:cve,2016-3575; reference:url,www.talosintelligence.com/reports/TALOS-2016-0097; classtype:attempted-user; sid:37863; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Oracle Outside In libvs_pdf integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"trailer"; content:"/Size"; within:100; nocase; byte_test:10,>,0x7FFFFFFF,1,relative,string,dec; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3575; reference:url,www.talosintelligence.com/reports/TALOS-2016-0097; classtype:attempted-user; sid:37862; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF IBM Domino KeyView PDF Filter Trailer ID array heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%PDF-"; depth:5; content:"trailer"; content:"/ID"; within:100; content:"["; within:10; isdataat:300,relative; content:!"]"; within:300; pcre:"/\x2fID[\s\r\n]*\x5b[^\x5d]{300}/"; metadata:service smtp; reference:cve,2016-0301; reference:url,www.talosintelligence.com/reports/TALOS-2016-0092/; classtype:attempted-user; sid:37502; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF IBM Domino KeyView PDF Filter Trailer ID array heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-"; depth:5; content:"trailer"; content:"/ID"; within:100; content:"["; within:10; isdataat:300,relative; content:!"]"; within:300; pcre:"/\x2fID[\s\r\n]*\x5b[^\x5d]{300}/"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-0301; reference:url,www.talosintelligence.com/reports/TALOS-2016-0092/; classtype:attempted-user; sid:37501; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF IBM Domino KeyView PDF Filter Basefont string overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/BaseFont"; isdataat:10,relative; content:!"/"; within:10; content:"obj"; isdataat:250,relative; content:!"["; within:50; content:!"stream"; within:230; content:!"endobj"; within:230; pcre:"/\/BaseFont\s*(?P<object>\d+).*?[\x0d\x0a](?P=object)\s*\d+\s*obj.{5}[^\x0a\x0d]{100}/smi"; metadata:service smtp; reference:cve,2016-0279; reference:url,www.talosintelligence.com/reports/TALOS-2016-0091; classtype:attempted-user; sid:37500; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF IBM Domino KeyView PDF Filter Basefont string overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/BaseFont"; isdataat:10,relative; content:!"/"; within:10; content:"obj"; isdataat:250,relative; content:!"["; within:50; content:!"stream"; within:230; content:!"endobj"; within:230; pcre:"/\/BaseFont\s*(?P<object>\d+).*?[\x0d\x0a](?P=object)\s*\d+\s*obj.{5}[^\x0a\x0d]{100}/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-0279; reference:url,www.talosintelligence.com/reports/TALOS-2016-0091; classtype:attempted-user; sid:37499; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF IBM Domino KeyView PDF filter encrypted stream code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Encrypt"; content:"/Filter/Standard"; within:200; distance:-100; content:"/Length "; within:200; distance:-100; byte_test:10,>,128,0,relative,string; metadata:service smtp; reference:cve,2016-0277; reference:url,www.talosintelligence.com/reports/TALOS-2016-0089; classtype:attempted-user; sid:37498; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF IBM Domino KeyView PDF filter encrypted stream code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Encrypt"; content:"/Filter/Standard"; within:200; distance:-100; content:"/Length "; within:200; distance:-100; byte_test:10,>,128,0,relative,string; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-0277; reference:url,www.talosintelligence.com/reports/TALOS-2016-0089; classtype:attempted-user; sid:37497; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF IBM Domino KeyView PDF filter compressed stream length code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Filter/"; fast_pattern; content:"/Length "; within:200; distance:-100; byte_test:10,>,2147483646,0,relative,string; metadata:service smtp; reference:cve,2016-0278; reference:url,www.talosintelligence.com/reports/TALOS-2016-0090; classtype:attempted-user; sid:37496; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF IBM Domino KeyView PDF filter compressed stream length code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Filter/"; fast_pattern; content:"/Length "; within:200; distance:-100; byte_test:10,>,2147483646,0,relative,string; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-0278; reference:url,www.talosintelligence.com/reports/TALOS-2016-0090; classtype:attempted-user; sid:37495; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|00 00 00 0C 6A 50 20 20|"; content:"flst"; distance:0; byte_extract:2,0,nfrag,relative; content:"flst"; distance:0; byte_test:2,>,nfrag,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11251; reference:cve,2017-3055; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-admin; sid:42213; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|00 00 00 0C 6A 50 20 20|"; content:"flst"; distance:0; byte_extract:2,0,nfrag,relative; content:"flst"; distance:0; byte_test:2,>,nfrag,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11251; reference:cve,2017-3055; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-admin; sid:42212; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JavaScript string from stream memory corruption attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"/JavaScript"; content:"/JS"; distance:0; content:".streamFromString"; distance:0; fast_pattern; content:".stringFromStream"; within:500; distance:-250; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3056; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42203; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JavaScript string from stream memory corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"/JavaScript"; content:"/JS"; distance:0; content:".streamFromString"; distance:0; fast_pattern; content:".stringFromStream"; within:500; distance:-250; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3056; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42202; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JavaScript API documentToStream use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"new Array("; content:".length"; within:100; content:"Collab.documentToStream("; within:100; fast_pattern; content:"endstream"; within:1000; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3057; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42176; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JavaScript API documentToStream use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"new Array("; content:".length"; within:100; content:"Collab.documentToStream("; within:100; fast_pattern; content:"endstream"; within:1000; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3057; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42175; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt"; flow:to_server,established; file_data; content:"%PDF-"; depth:5; content:"/JPXDecode"; content:"/Height "; within:100; byte_extract:10,0,height,relative,string,dec; content:"stream"; within:150; content:"|FF 4F FF 51|"; within:150; byte_test:4,!=,height,8,relative; content:"|00 00 00 00|"; within:4; distance:16; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3023; reference:cve,2017-3032; reference:cve,2017-3044; reference:cve,2017-3046; reference:cve,2017-8728; reference:cve,2017-8737; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8737; classtype:attempted-user; sid:42286; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt"; flow:to_client,established; file_data; content:"%PDF-"; depth:5; content:"/JPXDecode"; content:"/Height "; within:100; byte_extract:10,0,height,relative,string,dec; content:"stream"; within:150; content:"|FF 4F FF 51|"; within:150; byte_test:4,!=,height,8,relative; content:"|00 00 00 00|"; within:4; distance:16; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3023; reference:cve,2017-3032; reference:cve,2017-3044; reference:cve,2017-3046; reference:cve,2017-8728; reference:cve,2017-8737; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8737; classtype:attempted-user; sid:42285; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JPEG2000 pclr tag out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JPXDecode"; content:"|00 00 00 0C 6A 50 20 20 0D 0A 87 0A|"; within:250; content:"pclr"; within:250; byte_extract:4,-8,len,relative; content:"|0A|endstream"; within:len; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3045; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42276; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JPEG2000 pclr tag out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JPXDecode"; content:"|00 00 00 0C 6A 50 20 20 0D 0A 87 0A|"; within:250; content:"pclr"; within:250; byte_extract:4,-8,len,relative; content:"|0A|endstream"; within:len; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3045; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42275; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt"; flow:to_server,established; file_data; content:"%PDF-"; depth:5; content:"/JPXDecode"; content:"/Width "; within:100; byte_extract:10,0,width,relative,string,dec; content:"stream"; within:150; content:"|FF 4F FF 51|"; within:150; byte_test:4,!=,width,4,relative; content:"|00 00 00 00|"; within:4; distance:16; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3023; reference:cve,2017-3032; reference:cve,2017-3044; reference:cve,2017-3046; reference:cve,2017-8728; reference:cve,2017-8737; reference:cve,2018-8464; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8737; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8464; classtype:attempted-user; sid:42312; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt"; flow:to_client,established; file_data; content:"%PDF-"; depth:5; content:"/JPXDecode"; content:"/Width "; within:100; byte_extract:10,0,width,relative,string,dec; content:"stream"; within:150; content:"|FF 4F FF 51|"; within:150; byte_test:4,!=,width,4,relative; content:"|00 00 00 00|"; within:4; distance:16; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3023; reference:cve,2017-3032; reference:cve,2017-3044; reference:cve,2017-3046; reference:cve,2017-8728; reference:cve,2017-8737; reference:cve,2018-8464; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8737; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8464; classtype:attempted-user; sid:42311; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat embedded JPEG2000 invalid header out of bounds memory access attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|0F 63 6F 6C 72 01 02 01 00 00 00 0C 00 00 02 3E 70 63 6C 72 00 7A 04 8F 07 1D 07 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3022; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42310; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat embedded JPEG2000 invalid header out of bounds memory access attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|0F 63 6F 6C 72 01 02 01 00 00 00 0C 00 00 02 3E 70 63 6C 72 00 7A 04 8F 07 1D 07 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3022; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42309; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed TTF out of bounds memory access attempt"; flow:to_server, established; file_data; content:"|00 01 00 00 00 15 01 00 00 04 00 50 44 53 49 47 EA 40 F1 AC 00 02 94 8C 00 00 1A 74 45 42 44 54|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-3038; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42308; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed TTF out of bounds memory access attempt"; flow:to_client, established; file_data; content:"|00 01 00 00 00 15 01 00 00 04 00 50 44 53 49 47 EA 40 F1 AC 00 02 94 8C 00 00 1A 74 45 42 44 54|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3038; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42307; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe PDF PPKLite security handler memory corruption vulnerability attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Adobe.PPKLite"; fast_pattern; content:"/SubFilter"; within:300; pcre:!"/\x2fSubFilter\x2f(adbe|ETSI)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3039; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42299; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe PDF PPKLite security handler memory corruption vulnerability attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Adobe.PPKLite"; fast_pattern; content:"/SubFilter"; within:300; pcre:!"/\x2fSubFilter\x2f(adbe|ETSI)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3039; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42298; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed PRC file out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|98 78 DF 70 1C 3B 71 D3 21 42 C0 7C 83 B2 A3 86 2A 63 42 C2 BD 03 BD 1C 0B 19 1A 26 08 28 E5 37|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3019; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42297; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed PRC file out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|98 78 DF 70 1C 3B 71 D3 21 42 C0 7C 83 B2 A3 86 2A 63 42 C2 BD 03 BD 1C 0B 19 1A 26 08 28 E5 37|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3019; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42296; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt"; flow:to_server,established; content:"|26 62 8C 46 28 D0 55 5A B5 A7 EA C1 B5 DB B5 75 B7 EA FA 6A 14 D6 F2 10 17 54 54 14 D4 23 48 55|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-16362; reference:cve,2017-3041; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:42344; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt"; flow:to_server,established; content:"|01 23 F8 1B 01 F8 17 04 39 FB 78 FA 3C FA 89 05 1D 00 45 6E DA 0D F7 16 0F F7 3E 10 F7 5A 11 EC|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-3041; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42343; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt"; flow:to_client,established; content:"|26 62 8C 46 28 D0 55 5A B5 A7 EA C1 B5 DB B5 75 B7 EA FA 6A 14 D6 F2 10 17 54 54 14 D4 23 48 55|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16362; reference:cve,2017-3041; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:42342; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt"; flow:to_client,established; content:"|01 23 F8 1B 01 F8 17 04 39 FB 78 FA 3C FA 89 05 1D 00 45 6E DA 0D F7 16 0F F7 3E 10 F7 5A 11 EC|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3041; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42341; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JPXDecode"; content:"stream"; within:200; content:"|FF 4F FF 51|"; within:25; byte_extract:4,4,xsiz,relative; byte_test:4,>,xsiz,12,relative; metadata:service smtp; reference:cve,2017-16402; reference:cve,2017-3033; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:42318; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JPXDecode"; content:"stream"; within:200; content:"|FF 4F FF 51|"; within:25; byte_extract:4,4,xsiz,relative; byte_test:4,>,xsiz,12,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16402; reference:cve,2017-3033; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:42317; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JPXDecode"; content:"stream"; within:200; content:"|FF 4F FF 51|"; within:25; byte_extract:4,8,ysiz,relative; byte_test:4,>,ysiz,12,relative; metadata:service smtp; reference:cve,2017-11230; reference:cve,2017-3033; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:42316; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JPXDecode"; content:"stream"; within:200; content:"|FF 4F FF 51|"; within:25; byte_extract:4,8,ysiz,relative; byte_test:4,>,ysiz,12,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-11230; reference:cve,2017-3033; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:42315; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader dll injection sandbox escape"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|6A 00 68 3F 00 0F 00 6A 00 6A 00 6A 00 68 6F 05 00 00 68 01 00 00 80 89 54 24 40 FF 54 24 4C 83 EC 0C 68 E0 01 00 00 8D 44 24 68 50 6A 00 6A 00 68 A9 05 00 00 FF B4 24 78 10 00 00 FF 54 24 50 68 C5 00 00 00|"; metadata:service smtp; reference:cve,2013-2730; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:42377; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe PDF JavaScript engine use after free memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; fast_pattern:only; content:"/JS"; content:"addAnnot"; within:200; content:"|2E|name"; within:200; content:"|2E|inReplyTo"; within:200; pcre:"/var\s+(?P<VAROBJ>.+)\s+=\s+this\.addAnnot.+(?P=VAROBJ)\.name\s+=\s+0.+(?P=VAROBJ)\.inReplyTo\s+=\s+0/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3047; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42415; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe PDF JavaScript engine use after free memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; fast_pattern:only; content:"/JS"; content:"addAnnot"; within:200; content:"|2E|name"; within:200; content:"|2E|inReplyTo"; within:200; pcre:"/var\s+(?P<VAROBJ>.+)\s+=\s+this\.addAnnot.+(?P=VAROBJ)\.name\s+=\s+0.+(?P=VAROBJ)\.inReplyTo\s+=\s+0/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3047; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42414; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF malformed embedded JPEG2000 image information disclosure attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"stream"; content:"|FF 4F FF 51|"; within:200; content:"|FF 90|"; distance:0; byte_test:4,!=,0,4,relative; content:"|FF 90|"; within:2; distance:10; content:"|FF 52|"; content:"|FF 5C|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16374; reference:cve,2017-3029; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:misc-activity; sid:42476; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF malformed embedded JPEG2000 image information disclosure attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"stream"; content:"|FF 4F FF 51|"; within:200; content:"|FF 90|"; distance:0; byte_test:4,!=,0,4,relative; content:"|FF 90|"; within:2; distance:10; content:"|FF 52|"; content:"|FF 5C|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16374; reference:cve,2017-3029; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:misc-activity; sid:42475; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|0A 20 20 20 20 20 20 20 20 2F 55 52 49 20 28 FE FF 41 42 43 44 29 0D 0A 20 20 20 20 3E 3E 0D 0A 20 20 20 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,97554; reference:cve,2017-3020; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42814; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|0A 20 20 20 20 20 20 20 20 2F 55 52 49 20 28 FE FF 41 42 43 44 29 0D 0A 20 20 20 20 3E 3E 0D 0A 20 20 20 20|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,97554; reference:cve,2017-3020; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42813; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed AES key memory corruption attempt"; flow:to_server,established; file_data; content:"|E0 67 2F 70 A7 16 51 AB F0 07 F3 C3 78 C9 69 03 8E E4 A4 29 BC DA 7B 79 07 40 D2 11 9D 4E 6A F3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3030; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42803; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed AES key memory corruption attempt"; flow:to_client,established; file_data; content:"|E0 67 2F 70 A7 16 51 AB F0 07 F3 C3 78 C9 69 03 8E E4 A4 29 BC DA 7B 79 07 40 D2 11 9D 4E 6A F3|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3030; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42802; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader invalid object reference use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|A3 4A AB 13 3A 1E C1 E1 44 DF 86 77 F7 B8 F8 FE E9 EB DF 6F 4F FF 6C D5 1F DB FD 56 7C 9E D5 CB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3026; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42791; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader invalid object reference use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|A3 4A AB 13 3A 1E C1 E1 44 DF 86 77 F7 B8 F8 FE E9 EB DF 6F 4F FF 6C D5 1F DB FD 56 7C 9E D5 CB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3026; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42790; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader malformed app13 tag information disclosure attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Photoshop 3.0|00|"; content:"|FF ED|"; within:2; distance:-18; byte_test:2,<,20,0,relative; byte_jump:2,0,relative; content:!"|FF|"; within:1; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3053; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42789; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader malformed app13 tag information disclosure attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"Photoshop 3.0|00|"; content:"|FF ED|"; within:2; distance:-18; byte_test:2,<,20,0,relative; byte_jump:2,0,relative; content:!"|FF|"; within:1; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3053; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42788; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"|00 00 00 00 E7 E8 D9 E8 EB EC EB EA E9 ED EB ED EB EB E9 E8 EB E9 E8 E5 E8 ED EB EE EE EB EE ED|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3042; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42915; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|00 00 00 00 E7 E8 D9 E8 EB EC EB EA E9 ED EB ED EB EB E9 E8 EB E9 E8 E5 E8 ED EB EE EE EB EE ED|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3042; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42914; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"|0D 01 02 00 E8 03 00 00 7E 01 00 00 11 01 04 00 01 00 00 00 08 00 00 00 16 01 03 00 01 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3042; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42913; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|0D 01 02 00 E8 03 00 00 7E 01 00 00 11 01 04 00 01 00 00 00 08 00 00 00 16 01 03 00 01 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3042; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42912; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt"; flow:to_server,established; flowbits:isset,file.tiff; file_data; content:"|40 01 03 00 0C 00 00 00 96 01 00 00 00 00 00 00 66 6F 6F 2E 74 69 66 00 00 00 00 48 00 00 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3042; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42911; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|40 01 03 00 0C 00 00 00 96 01 00 00 00 00 00 00 66 6F 6F 2E 74 69 66 00 00 00 00 48 00 00 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3042; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42910; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader CTJPEGWriter null pointer dereference attempt"; flow:to_server,established; file_data; content:"|8D 9D 6F 23 C4 2C E2 31 84 4B 77 F5 BD 1B 80 F4 BD E2 E7 E5 F2 EA E7 41 4C C4 E7 AD 4A AE 4A AA 9E 57 C5 70 CF FB 59 42 F4 3C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3025; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42897; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader CTJPEGWriter null pointer dereference attempt"; flow:to_client,established; file_data; content:"|8D 9D 6F 23 C4 2C E2 31 84 4B 77 F5 BD 1B 80 F4 BD E2 E7 E5 F2 EA E7 41 4C C4 E7 AD 4A AE 4A AA 9E 57 C5 70 CF FB 59 42 F4 3C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3025; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42896; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat JP2 parser information disclosure attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"/JPXDecode"; content:"jp2h"; distance:0; content:"ihdr"; distance:0; byte_extract:2,10,ihdrNC,relative; content:"pclr"; distance:0; byte_test:2,>,ihdrNC,3,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3021; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42889; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat JP2 parser information disclosure attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"/JPXDecode"; content:"jp2h"; distance:0; content:"ihdr"; distance:0; byte_extract:2,10,ihdrNC,relative; content:"pclr"; distance:0; byte_test:2,>,ihdrNC,3,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3021; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42888; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:".applyXSL|28|"; fast_pattern:only; content:"<xfa:datasets"; content:"<xsl:template"; distance:0; content:"select="; distance:0; content:"$"; within:1; distance:1; metadata:service smtp; reference:cve,2017-3031; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:misc-activity; sid:42877; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:".applyXSL|28|"; fast_pattern:only; content:"<xfa:datasets"; content:"<xsl:stylesheet"; distance:0; content:"select="; distance:0; content:"$"; within:1; distance:1; metadata:service smtp; reference:cve,2017-3031; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:misc-activity; sid:42876; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:".applyXSL|28|"; fast_pattern:only; content:"<xfa:datasets"; content:"<xsl:template"; distance:0; content:"select="; distance:0; content:"namespace::"; within:11; distance:1; metadata:service smtp; reference:cve,2017-3031; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:misc-activity; sid:42875; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:".applyXSL|28|"; fast_pattern:only; content:"<xfa:datasets"; content:"<xsl:stylesheet"; distance:0; content:"select="; distance:0; content:"namespace::"; within:11; distance:1; metadata:service smtp; reference:cve,2017-3031; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:misc-activity; sid:42874; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:".applyXSL|28|"; fast_pattern:only; content:"<xfa:datasets"; content:"<xsl:template"; distance:0; content:"select="; distance:0; content:"$"; within:1; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3031; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:misc-activity; sid:42873; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:".applyXSL|28|"; fast_pattern:only; content:"<xfa:datasets"; content:"<xsl:stylesheet"; distance:0; content:"select="; distance:0; content:"$"; within:1; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3031; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:misc-activity; sid:42872; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:".applyXSL|28|"; fast_pattern:only; content:"<xfa:datasets"; content:"<xsl:template"; distance:0; content:"select="; distance:0; content:"namespace::"; within:11; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3031; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:misc-activity; sid:42871; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:".applyXSL|28|"; fast_pattern:only; content:"<xfa:datasets"; content:"<xsl:stylesheet"; distance:0; content:"select="; distance:0; content:"namespace::"; within:11; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3031; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:misc-activity; sid:42870; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA forms engine use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"xfa[0].xdc[0].#deviceInfo[0].dashDotDot[0].##text[0]"; fast_pattern:only; content:"resolveNode"; nocase; content:"xfa[0].form[0].outerform[0].#subform[0]"; within:50; nocase; content:"xfa.layout.relayout"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3035; reference:cve,2018-16003; reference:cve,2018-16011; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-02.html; classtype:attempted-user; sid:42869; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA forms engine use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"xfa[0].xdc[0].#deviceInfo[0].dashDotDot[0].##text[0]"; fast_pattern:only; content:"resolveNode"; nocase; content:"xfa[0].form[0].outerform[0].#subform[0]"; within:50; nocase; content:"xfa.layout.relayout"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3035; reference:cve,2018-16003; reference:cve,2018-16011; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-02.html; classtype:attempted-user; sid:42868; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader PDF memory corruption attempt"; flow:to_server,established; file_data; content:"|E3 E4 BC 38 FB 91 95 A3 6C D7 07 A4 77 26 8F E1 CF 1E B8 42 61 06 81 84 54 76 FE 0E 53 56 3C 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3017; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42860; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader PDF memory corruption attempt"; flow:to_client,established; file_data; content:"|E3 E4 BC 38 FB 91 95 A3 6C D7 07 A4 77 26 8F E1 CF 1E B8 42 61 06 81 84 54 76 FE 0E 53 56 3C 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3017; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42859; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XFA large array use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".resetForm("; content:".resetForm("; distance:0; content:"= new Array()|3B|"; content:".length = "; within:40; byte_test:10,>,2000,0,relative,string; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3014; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42943; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XFA large array use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".resetForm("; content:".resetForm("; distance:0; content:"= new Array()|3B|"; content:".length = "; within:40; byte_test:10,>,2000,0,relative,string; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3014; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42942; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|A1 6F AB 92 9B 8E AC EA 36 7E D9 51 F9 B2 AF 8E 23 3D EE 7A C2 7D 85 95 89 D4 07 F8 32 D8 F8 EF 6C 54 EF D5 68 B1 D4 D2 BA AB 4D 20 7A CA F9 55 54 F5 E6 91 C0 38 77 86 E0 F7 23 2E 19 5F 2C 94|"; fast_pattern:only; metadata:service smtp; reference:cve,2011-0226; classtype:attempted-user; sid:43677; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|A1 6F AB 92 9B 8E AC EA 36 7E D9 51 F9 B2 AF 8E 23 3D EE 7A C2 7D 85 95 89 D4 07 F8 32 D8 F8 EF 6C 54 EF D5 68 B1 D4 D2 BA AB 4D 20 7A CA F9 55 54 F5 E6 91 C0 38 77 86 E0 F7 23 2E 19 5F 2C 94|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0226; classtype:attempted-user; sid:43676; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader Annotations memory corruption attempt"; flow:to_server,established; file_data; content:"|B5 1F 02 58 EA 96 5A 8D FF 00 F6 8B 5F DE CB 79 E6 96 91 98 B4 DC 9C 87 27 18 E1 7A 92 C4 16 C8 0C 11 3D 36 80 0A 28 A2 80 0A 28 AC 39 35 3B F9|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3024; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:43434; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader Annotations memory corruption attempt"; flow:to_client,established; file_data; content:"|B5 1F 02 58 EA 96 5A 8D FF 00 F6 8B 5F DE CB 79 E6 96 91 98 B4 DC 9C 87 27 18 E1 7A 92 C4 16 C8 0C 11 3D 36 80 0A 28 A2 80 0A 28 AC 39 35 3B F9|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3024; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:43433; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"getNthFieldName"; fast_pattern:only; content:"toString:"; content:"function"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3037; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42972; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"getNthFieldName"; fast_pattern:only; content:"toString:"; content:"function"; within:50; metadata:service smtp; reference:cve,2017-3037; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42971; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".__defineGetter__"; content:"function"; within:25; content:"Array("; content:"toString:"; metadata:service smtp; reference:cve,2017-3037; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42970; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".__defineGetter__"; content:"function"; within:25; content:"Array("; content:"toString:"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3037; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-11.html; classtype:attempted-user; sid:42969; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Iceni Infix PDF parsing out of bounds write attempt"; flow:to_server,established; file_data; content:"|20 00 00 33 00 00 00 00 00 2F|Root 175 0 R|00 2F 00 00 00 00 2F 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2863; reference:url,www.talosintelligence.com/reports/TALOS-2017-0367/; classtype:attempted-user; sid:43213; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Iceni Infix PDF parsing out of bounds write attempt"; flow:to_client,established; file_data; content:"|20 00 00 33 00 00 00 00 00 2F|Root 175 0 R|00 2F 00 00 00 00 2F 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2863; reference:url,www.talosintelligence.com/reports/TALOS-2017-0367/; classtype:attempted-user; sid:43212; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Poppler readProgressiveSOF out of bounds write attempt"; flow:to_server,established; file_data; content:"%PDF-"; depth:5; content:"/DCTDecode"; content:"stream"; within:250; content:"|FF D8|"; within:10; content:"|FF DB|"; within:100; byte_jump:2,0,relative,post_offset -2; content:"|FF C2|"; within:2; byte_test:1,>,4,7,relative; metadata:service smtp; reference:cve,2017-2818; reference:url,www.talosintelligence.com/reports/TALOS-2017-0319; classtype:attempted-user; sid:42353; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Poppler readProgressiveSOF out of bounds write attempt"; flow:to_client,established; file_data; content:"%PDF-"; depth:5; content:"/DCTDecode"; content:"stream"; within:250; content:"|FF D8|"; within:10; content:"|FF DB|"; within:100; byte_jump:2,0,relative,post_offset -2; content:"|FF C2|"; within:2; byte_test:1,>,4,7,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2818; reference:url,www.talosintelligence.com/reports/TALOS-2017-0319; classtype:attempted-user; sid:42352; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Poppler PDF library embedded jp2 COD levels integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JPXDecode"; content:"|00 00 00 0C 6A|"; distance:0; content:"jp2c|FF 4F FF 51|"; distance:0; byte_jump:2,0,relative,post_offset -2; content:"|FF 52|"; within:2; byte_test:1,>,0x19,7,relative; metadata:service smtp; reference:cve,2017-2820; reference:url,www.talosintelligence.com/reports/TALOS-2017-0321; classtype:attempted-admin; sid:42320; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Poppler PDF library embedded jp2 COD levels integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JPXDecode"; content:"|00 00 00 0C 6A|"; distance:0; content:"jp2c|FF 4F FF 51|"; distance:0; byte_jump:2,0,relative,post_offset -2; content:"|FF 52|"; within:2; byte_test:1,>,0x19,7,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-2820; reference:url,www.talosintelligence.com/reports/TALOS-2017-0321; classtype:attempted-admin; sid:42319; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Poppler DCTStream readScan heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|BC C9 71 6C CF 64 E2 B8 2A F6 24 E5 89 B9 00 20 08 E0 11 0B 41 80 00 B1 11 20 16 62 5F 08 02 5C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-2814; reference:url,www.talosintelligence.com/reports/TALOS-2017-0311/; classtype:attempted-user; sid:42274; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Poppler DCTStream readScan heap buffer overflow attempt"; flow:to_client,established; file_data; content:"|BC C9 71 6C CF 64 E2 B8 2A F6 24 E5 89 B9 00 20 08 E0 11 0B 41 80 00 B1 11 20 16 62 5F 08 02 5C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2814; reference:url,www.talosintelligence.com/reports/TALOS-2017-0311/; classtype:attempted-user; sid:42273; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF MuPDF Fitz library font glyph scaling code execution vulnerability attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"cm|0A|BI|0A|/W 4|0A|/CS /RGB|0A|/H 1|0A|ID"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8728; reference:url,www.talosintelligence.com/reports/TALOS-2016-0242/; classtype:attempted-user; sid:41471; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF MuPDF Fitz library font glyph scaling code execution vulnerability attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"cm|0A|BI|0A|/W 4|0A|/CS /RGB|0A|/H 1|0A|ID"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8728; reference:url,www.talosintelligence.com/reports/TALOS-2016-0242/; classtype:attempted-user; sid:41470; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Artifex MuPDF JBIG2 negative width value out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JBIG2Globals "; fast_pattern:only; content:">>|0A|stream|0A 00 00 00 00|"; nocase; pcre:"/>>\nstream\n\x00\x00\x00\x00[\x26\x27]\x00\x00.{4}[\x80-\xFF]/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-8729; reference:url,www.talosintelligence.com/reports/TALOS-2016-0243; classtype:attempted-user; sid:41225; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Artifex MuPDF JBIG2 negative width value out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JBIG2Globals "; fast_pattern:only; content:">>|0A|stream|0A 00 00 00 00|"; nocase; pcre:"/>>\nstream\n\x00\x00\x00\x00[\x26\x27]\x00\x00.{4}[\x80-\xFF]/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-8729; reference:url,www.talosintelligence.com/reports/TALOS-2016-0243; classtype:attempted-user; sid:41224; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Nitro Pro PDF Reader out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:" cs|0D 0A|0.8 0.0 0.0 0.0 scn|0D|50 400 "; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-2796; reference:cve,2016-8713; reference:url,www.talosintelligence.com/reports/TALOS-2016-0226/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0289/; classtype:attempted-user; sid:41197; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Nitro Pro PDF Reader out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:" cs|0D 0A|0.8 0.0 0.0 0.0 scn|0D|50 400 "; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-2796; reference:cve,2016-8713; reference:url,www.talosintelligence.com/reports/TALOS-2016-0226/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0289/; classtype:attempted-user; sid:41196; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/T "; content:"|FE FF|"; within:5; pcre:"/\x2FT\s+[^\x3E]{0,5}\xFE\xFF[\x20-\x7E]{5}/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11236; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43887; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/T "; content:"|FE FF|"; within:5; pcre:"/\x2FT\s+[^\x3E]{0,5}\xFE\xFF[\x20-\x7E]{5}/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11236; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43886; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Acrobat Reader FontDescriptor object type confusion attempt"; flow:to_server,established; file_data; content:"|3E 31 31 28 3E 2A 29 31 31 28 5C 30 31 37 5C 32 33 34 5C 66 47 24 55 5C 62 5E 29 31 31 28 5C 62 5D 5C 62|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11221; reference:url,helpx.adobe.com/security/products/reader/apsb17-24.html; classtype:attempted-user; sid:43884; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-PDF Acrobat Reader FontDescriptor object type confusion attempt"; flow:to_client,established; file_data; content:"|3E 31 31 28 3E 2A 29 31 31 28 5C 30 31 37 5C 32 33 34 5C 66 47 24 55 5C 62 5E 29 31 31 28 5C 62 5D 5C 62|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11221; reference:url,helpx.adobe.com/security/products/reader/apsb17-24.html; classtype:attempted-user; sid:43883; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt"; flow:to_server,established; file_data; content:"|AA 52 DD EB 76 FA 71 DC D3 8A A9 4E F5 65 3F A4 6F EA 1A 8C 33 B8 04 55 D8 2D E4 B5 B3 28 51 C9|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11231; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43882; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt"; flow:to_client,established; file_data; content:"|AA 52 DD EB 76 FA 71 DC D3 8A A9 4E F5 65 3F A4 6F EA 1A 8C 33 B8 04 55 D8 2D E4 B5 B3 28 51 C9|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11231; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43881; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/BaseEncoding"; content:"/WinAnsiEncoding"; within:50; content:"/Differences"; within:50; content:"-"; within:25; content:"/Encoding"; content:"/PDFDocEncoding"; within:50; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11263; reference:url,helpx.adobe.com/security/products/reader/apsb17-24.html; classtype:attempted-user; sid:43878; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/BaseEncoding"; content:"/WinAnsiEncoding"; within:50; content:"/Differences"; within:50; content:"-"; within:25; content:"/Encoding"; content:"/PDFDocEncoding"; within:50; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11263; reference:url,helpx.adobe.com/security/products/reader/apsb17-24.html; classtype:attempted-user; sid:43877; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed TTF memory corruption attempt"; flow:to_server,established; file_data; content:"|83 E0 F5 BA C0 B2 9A 43 DF 89 1F C0 EF 07 9F D6 50 DF D4 DC BB 93 EA C1 9F 0A F3 8D 35 0D 75 EB|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3116; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43870; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed TTF memory corruption attempt"; flow:to_client,established; file_data; content:"|83 E0 F5 BA C0 B2 9A 43 DF 89 1F C0 EF 07 9F D6 50 DF D4 DC BB 93 EA C1 9F 0A F3 8D 35 0D 75 EB|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3116; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43869; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed TTF memory corruption attempt"; flow:to_server,established; file_data; content:"|00 01 00 00 00 01 00 00 66 67 6E 35 5F 0F 3C F5 00 1B 08 00 00 00 00 00 BD 92 32 7F 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3116; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43868; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed TTF memory corruption attempt"; flow:to_client,established; file_data; content:"|00 01 00 00 00 01 00 00 66 67 6E 35 5F 0F 3C F5 00 1B 08 00 00 00 00 00 BD 92 32 7F 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3116; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43867; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"q Q q 1179 12.00005 m 1179 829.9"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11265; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43980; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"q Q q 1179 12.00005 m 1179 829.9"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11265; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43979; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|F9 F3 9F F1 7C 3B DC 7F DD 0F 9F FF 8B A7 5F 77 FE 77 F9 1C 29 07 72 F3 E6 FF FE FC 1F 9F FF EF E7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11265; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43978; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|F9 F3 9F F1 7C 3B DC 7F DD 0F 9F FF 8B A7 5F 77 FE 77 F9 1C 29 07 72 F3 E6 FF FE FC 1F 9F FF EF E7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11265; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43977; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt"; flow:to_server,established; flowbits:isset,file.fdf; file_data; content:"<</FDF<</Annots"; fast_pattern:only; content:"/S /Rendition"; content:"/JS"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11229; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43962; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt"; flow:to_client,established; flowbits:isset,file.fdf; file_data; content:"<</FDF<</Annots"; fast_pattern:only; content:"/S /Rendition"; content:"/JS"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11229; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43961; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JS"; content:"xfa.resolveNode"; within:250; fast_pattern; content:"app.setInterval"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11219; reference:cve,2018-4888; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:43949; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JS"; content:"xfa.resolveNode"; within:250; fast_pattern; content:"app.setInterval"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11219; reference:cve,2018-4888; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:43948; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA javascript use after free exploitation attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"/AcroForm"; content:"xfa.form.remerge"; content:"/OpenAction <<"; fast_pattern; content:"/JS"; within:15; content:".clearInterval"; content:".setInterval"; within:200; metadata:service smtp; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43927; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA javascript use after free exploitation attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"/AcroForm"; content:"xfa.form.remerge"; content:"/OpenAction <<"; fast_pattern; content:"/JS"; within:15; content:".clearInterval"; content:".setInterval"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43926; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Subtype"; nocase; content:"/U3D"; within:20; content:"|50 52 43 C9 1F 00 00|"; within:50; content:"|50 52 43 C9 1F 00 00|"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11222; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43925; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Subtype"; nocase; content:"/U3D"; within:20; content:"|50 52 43 C9 1F 00 00|"; within:50; content:"|50 52 43 C9 1F 00 00|"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11222; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43924; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"exportDataObject("; content:"cName|3A|"; within:50; content:".terminal"; within:50; metadata:service smtp; reference:bugtraq,100189; reference:cve,2017-3118; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43923; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"exportDataObject("; content:"cName|3A|"; within:50; content:".ps1"; within:50; metadata:service smtp; reference:bugtraq,100189; reference:cve,2017-3118; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43922; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"exportDataObject("; content:"cName|3A|"; within:50; content:".diagcab"; within:50; metadata:service smtp; reference:bugtraq,100189; reference:cve,2017-16380; reference:cve,2017-3118; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:43921; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"exportDataObject("; content:"cName|3A|"; within:50; content:".terminal"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,100189; reference:cve,2017-3118; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43920; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"exportDataObject("; content:"cName|3A|"; within:50; content:".ps1"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,100189; reference:cve,2017-3118; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43919; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"exportDataObject("; content:"cName|3A|"; within:50; content:".diagcab"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,100189; reference:cve,2017-16380; reference:cve,2017-3118; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:43918; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA resolveNode type confusion exploitation attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"/AcroForm"; content:"/OpenAction <<"; fast_pattern; content:"/JS"; within:15; content:"xfa.resolveNode"; content:".rawValue"; within:130; metadata:service smtp; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43915; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA resolveNode type confusion exploitation attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"/AcroForm"; content:"/OpenAction <<"; fast_pattern; content:"/JS"; within:15; content:"xfa.resolveNode"; content:".rawValue"; within:130; metadata:service ftp-data, service http, service imap, service pop3; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43914; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XFA loadXML use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"xfa.datasets"; fast_pattern; content:"loadXML|28 22 22|"; within:120; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11224; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43907; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XFA loadXML use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"xfa.datasets"; fast_pattern; content:"loadXML|28 22 22|"; within:120; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11224; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43906; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader execMenuItem buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"this.closeDoc("; content:"app.execMenuItem("; fast_pattern; content:"Print"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11220; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43905; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader execMenuItem buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"this.closeDoc("; content:"app.execMenuItem("; fast_pattern; content:"Print"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11220; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43904; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt"; flow:to_client,established; file_data; content:"|89 B6 DA 8B D6 82 F5 51 F5 5A C1 2B 56 6B D5 22 A2 B7 BD 42 CE FD F7 49 40 E9 D7 EF DE EF 7E F7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11237; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43998; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt"; flow:to_server,established; file_data; content:"|89 B6 DA 8B D6 82 F5 51 F5 5A C1 2B 56 6B D5 22 A2 B7 BD 42 CE FD F7 49 40 E9 D7 EF DE EF 7E F7|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11237; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43997; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|50 14 42 BC D3 E7 83 90 B8 40 01 41 50 2E 10 16 51 88 7C 11 CF 78 18 7B C6 36 C9 24 31 FE 1A 7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11252; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43994; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|50 14 42 BC D3 E7 83 90 B8 40 01 41 50 2E 10 16 51 88 7C 11 CF 78 18 7B C6 36 C9 24 31 FE 1A 7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11252; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43993; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"stream|0A 00 80 80 FF 00 FF FF 00 00 00 FF 00 02 00 00 00 02 FF 00 00 02 FF FF 00 0A 65|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11252; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43992; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream|0A 00 80 80 FF 00 FF FF 00 00 00 FF 00 02 00 00 00 02 FF 00 00 02 FF FF 00 0A 65|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11252; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:43991; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader exportAsXFAStr use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"exportAsXFAStr"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,100182; reference:cve,2017-3113; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44014; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader exportAsXFAStr use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"exportAsXFAStr"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,100182; reference:cve,2017-3113; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44013; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt"; flow:to_server,established; file_data; content:"|F8 F8 F8 F8 F8 F8 F8 F8 F8 F8 F8 F8 F8 F8 FF C1 00 11 08 00 20 00 20 03 01 22 00 02 11 01 03 11|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11235; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44054; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt"; flow:to_client,established; file_data; content:"|F8 F8 F8 F8 F8 F8 F8 F8 F8 F8 F8 F8 F8 F8 FF C1 00 11 08 00 20 00 20 03 01 22 00 02 11 01 03 11|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11235; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44053; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Foxit PDF Reader Launch action buffer overflow attempt"; flow:established,to_client; flowbits:isset,file.pdf; file_data; content:"Type"; nocase; content:"/Action"; within:40; nocase; content:"Launch"; within:40; nocase; isdataat:300,relative; content:!")"; within:300; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,34035; reference:cve,2009-0837; reference:url,foxitsoftware.com/support/security-bulletins.php; classtype:attempted-user; sid:44040; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Foxit PDF Reader Launch action buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"Type"; nocase; content:"/Action"; within:40; nocase; content:"Launch"; within:40; nocase; isdataat:300,relative; content:!")"; within:300; metadata:service smtp; reference:bugtraq,34035; reference:cve,2009-0837; reference:url,foxitsoftware.com/support/security-bulletins.php; classtype:attempted-user; sid:44039; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Multiple products PDF JavaScript saveAs arbitrary file write attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; content:".saveAs|28|"; fast_pattern:only; pcre:"/\x2EsaveAs\x28[\x22\x27][^\x29]+\x2E((?!pdf).{3})[\x22\x27]\x29/i"; metadata:service smtp; reference:cve,2017-10952; reference:cve,2017-7442; reference:url,www.thezdi.com/blog/2017/8/17/busting-myths-in-foxit-reader; classtype:attempted-user; sid:44104; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Multiple products PDF JavaScript saveAs arbitrary file write attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; content:".saveAs|28|"; fast_pattern:only; pcre:"/\x2EsaveAs\x28[\x22\x27][^\x29]+\x2E((?!pdf).{3})[\x22\x27]\x29/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-10952; reference:cve,2017-7442; reference:url,www.thezdi.com/blog/2017/8/17/busting-myths-in-foxit-reader; classtype:attempted-user; sid:44103; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Multiple products PDF JavaScript launchURL command injection and remote code execution attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".launchURL("; content:!"tp:|2F 2F|"; within:20; content:"/JavaScript"; pcre:"/launchURL\([\x22\x27][A-Z]\x24?\x3A[^\x22\x27]+[\x22\x27]/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-10951; reference:cve,2017-7442; classtype:attempted-user; sid:44098; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".launchURL("; nocase; content:!"tp:|2F 2F|"; within:20; content:"/Javascript"; nocase; pcre:"/launchURL\([\x22\x27][A-Z]\x3A[^\x22\x27]+[0x22\x27]/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-10951; classtype:attempted-admin; sid:44097; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<event"; fast_pattern; content:"activity"; within:50; content:"initialize"; within:50; content:"xfa.form"; within:250; content:".use"; within:250; content:"<event"; content:"activity"; within:50; content:"initialize"; within:50; content:"<submit"; within:250; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11218; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44084; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<event"; fast_pattern; content:"activity"; within:50; content:"initialize"; within:50; content:"xfa.form"; within:250; content:".use"; within:250; content:"<event"; content:"activity"; within:50; content:"initialize"; within:50; content:"<submit"; within:250; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11218; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44083; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt"; flow:to_server,established; file_data; content:"|8C 84 69 48 C2 9C 44 31 16 05 89 72 24 E4 47 49 44 22 E4 4C 0C 2F C2 B2 08 51 84 84 49 3A 21 D1|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3115; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-recon; sid:44075; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt"; flow:to_client,established; file_data; content:"|8C 84 69 48 C2 9C 44 31 16 05 89 72 24 E4 47 49 44 22 E4 4C 0C 2F C2 B2 08 51 84 84 49 3A 21 D1|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3115; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-recon; sid:44074; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/SubmitForm"; content:"/F"; within:200; distance:-100; content:"#"; within:100; pcre:"/\x2fF\s*?\x28\s*?((ht|f)tps?:\x2f\x2f)[^\x29]*?#/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3115; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-recon; sid:44073; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/SubmitForm"; content:"/F"; within:200; distance:-100; content:"#"; within:100; pcre:"/\x2fF\s*?\x28\s*?((ht|f)tps?:\x2f\x2f)[^\x29]*?#/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3115; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-recon; sid:44072; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"ICC_PROFILE|00|"; byte_extract:1,0,blockNum,relative; byte_test:1,<,blockNum,0,relative; metadata:policy max-detect-ips drop, service smtp; reference:cve,2017-11211; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44170; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"ICC_PROFILE|00|"; byte_extract:1,0,blockNum,relative; byte_test:1,<,blockNum,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11211; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44169; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XFA event use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<subform"; nocase; content:"<script"; nocase; content:"event.target"; fast_pattern; content:".closeDoc("; within:80; nocase; content:".calculate"; nocase; content:".oneOfChild"; within:60; nocase; content:"assist"; within:80; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11223; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44145; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XFA event use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<subform"; nocase; content:"<script"; nocase; content:"event.target"; fast_pattern; content:".closeDoc("; within:80; nocase; content:".calculate"; nocase; content:".oneOfChild"; within:60; nocase; content:"assist"; within:80; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11223; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44144; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader embedded JS array memory corruption attempt"; flow:to_server,established; file_data; content:"|44 EF 82 FF 30 F5 62 42 4A 69 4B 7B 5A BC F6 27 A4 87 10 6C CD 45 21 46 6B 94 FC 7B 37 62 A1 7B|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-3119; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44209; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded JS array memory corruption attempt"; flow:to_client,established; file_data; content:"|44 EF 82 FF 30 F5 62 42 4A 69 4B 7B 5A BC F6 27 A4 87 10 6C CD 45 21 46 6B 94 FC 7B 37 62 A1 7B|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3119; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44208; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader embedded JS array memory corruption attempt"; flow:to_server,established; file_data; content:"+= |22 27 22| + i + |22 27|,|22 3B|"; content:"+= |22|]|3B|"; within:25; content:"+= |22|try {"; within:50; content:"Function("; within:200; nocase; metadata:service smtp; reference:cve,2017-3119; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44207; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader embedded JS array memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"+= |22 27 22| + i + |22 27|,|22 3B|"; content:"+= |22|]|3B|"; within:25; content:"+= |22|try {"; within:50; content:"Function("; within:200; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-3119; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44206; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Nitro Pro malformed object index buffer overflow attempt"; flow:to_server,established; file_data; content:"%PDF-1.2|0D 25 E2 E3 CF D3 0A|"; depth:15; content:" 0 obj"; distance:0; pcre:"/\x25PDF-1\x2E2\x0D\x25\xE2\xE3\xCF\xD3\x0A[A-Za-z0-9]{11,}\x200\x20obj/"; metadata:service smtp; reference:url,www.nitropdf.com; classtype:attempted-user; sid:44370; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Nitro Pro malformed object index buffer overflow attempt"; flow:to_client,established; file_data; content:"%PDF-1.2|0D 25 E2 E3 CF D3 0A|"; depth:15; content:" 0 obj"; distance:0; pcre:"/\x25PDF-1\x2E2\x0D\x25\xE2\xE3\xCF\xD3\x0A[A-Za-z0-9]{11,}\x200\x20obj/"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.nitropdf.com; classtype:attempted-user; sid:44369; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JPXDecode"; nocase; content:"|FF 4F FF 51|"; within:500; byte_test:4,>,0x19fa,4,relative; byte_test:4,>,0x19fa,8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-11227; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44794; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JPXDecode"; nocase; content:"|FF 4F FF 51|"; within:500; byte_test:4,>,0x19fa,4,relative; byte_test:4,>,0x19fa,8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-11227; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-24.html; classtype:attempted-user; sid:44793; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XI JavaScript annotation use after free attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"/JavaScript"; content:".addAnnot("; within:200; content:".addField("; within:200; content:".popupRect"; within:200; content:".setAction("; within:50; content:"OnFocus"; within:50; content:".popupOpen"; within:50; content:".setFocus()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16393; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44857; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XI JavaScript annotation use after free attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"/JavaScript"; content:".addAnnot("; within:200; content:".addField("; within:200; content:".popupRect"; within:200; content:".setAction("; within:50; content:"OnFocus"; within:50; content:".popupOpen"; within:50; content:".setFocus()"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16393; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44856; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed TTF buffer over-read attempt"; flow:to_client,established; file_data; content:"|9D BE 7E CC 05 25 BE 26 67 66 7D 58 7F 36 88 0D 63 A5 AC 92 55 B1 09 AC 86 CD 66 F3 59 2B 6B 67|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16365; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44854; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed TTF buffer over-read attempt"; flow:to_server,established; file_data; content:"|9D BE 7E CC 05 25 BE 26 67 66 7D 58 7F 36 88 0D 63 A5 AC 92 55 B1 09 AC 86 CD 66 F3 59 2B 6B 67|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16365; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44853; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat acrobat URI handler security bypass"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Action"; nocase; content:"/URI"; within:50; nocase; content:"acrobat|3A|"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16366; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44883; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat acrobat URI handler security bypass"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Action"; nocase; content:"/URI"; within:50; nocase; content:"acrobat|3A|"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16366; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44882; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat addAnnot object untrusted pointer dereference attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"addAnnot"; fast_pattern; content:"__proto__"; content:"destroy"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16371; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:denial-of-service; sid:44874; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat addAnnot object untrusted pointer dereference attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"addAnnot"; fast_pattern; content:"__proto__"; content:"destroy"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16371; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:denial-of-service; sid:44873; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.execDialog("; fast_pattern:only; pcre:"/app.execDialog\x28[^)]*?\x2C/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16365; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44872; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.execDialog("; fast_pattern:only; pcre:"/app.execDialog\x28[^)]*?\x2C/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16365; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44871; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat PDF font character encoding out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Type"; content:"/Encoding"; within:40; content:"/BaseEncoding"; within:40; content:"/WinAnsiEncoding"; within:40; content:"/Differences"; within:40; pcre:"/\/Differences\s*\[\s*\d{4,}/m"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16415; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44988; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat PDF font character encoding out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Type"; content:"/Encoding"; within:40; content:"/BaseEncoding"; within:40; content:"/WinAnsiEncoding"; within:40; content:"/Differences"; within:40; pcre:"/\/Differences\s*\[\s*\d{4,}/m"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16415; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44987; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Foxit Reader util printf information disclosure attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"util.printf"; fast_pattern:only; metadata:service smtp; reference:cve,2017-16584; classtype:attempted-recon; sid:44980; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Foxit Reader util printf information disclosure attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"util.printf"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16584; classtype:attempted-recon; sid:44979; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader ActualText attribute type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/ActualText"; nocase; content:"FEFF00AD"; within:15; nocase; content:"/HyphenSpan"; within:100; fast_pattern; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16367; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-admin; sid:44977; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader ActualText attribute type confusion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/ActualText"; nocase; content:"FEFF00AD"; within:15; nocase; content:"/HyphenSpan"; within:100; fast_pattern; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16367; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-admin; sid:44976; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Acrobat malformed html tag out of bounds read attempt"; flow:to_server,established; file_data; content:"|39 4C EB 7D E7 26 0A 58 BA 65 C4 80 D2 27 27 77 C6 E5 37 F1 78 BC E6 BF 24 EA 43 F0 74 6D 6C 3E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16394; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44968; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Acrobat malformed html tag out of bounds read attempt"; flow:to_client,established; file_data; content:"|39 4C EB 7D E7 26 0A 58 BA 65 C4 80 D2 27 27 77 C6 E5 37 F1 78 BC E6 BF 24 EA 43 F0 74 6D 6C 3E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16394; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44967; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.doc"; fast_pattern:only; content:".__proto__"; content:".type"; within:200; content:".addAnnot("; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16375; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44962; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.doc"; fast_pattern:only; content:".__proto__"; content:".type"; within:200; content:".addAnnot("; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16375; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44961; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat malformed XObject use after free attempt"; flow:to_server,established; file_data; content:"/XObject<</Im0 2878 0 R/Im1 2133"; fast_pattern:only; metadata:service smtp; reference:cve,2017-16360; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-admin; sid:44958; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat malformed XObject use after free attempt"; flow:to_client,established; file_data; content:"/XObject<</Im0 2878 0 R/Im1 2133"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16360; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-admin; sid:44957; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JavaScript infinite recursion heap overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"/JavaScript"; content:"Array"; within:500; content:".__defineGetter__("; within:200; content:"search.objectMetadata"; within:500; content:".valueOf"; within:500; content:"search.objectMetadata"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16419; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44956; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JavaScript infinite recursion heap overflow attempt"; flow:to_server,established; file_data; content:"/JavaScript"; content:"Array"; within:500; content:".__defineGetter__("; within:200; content:"search.objectMetadata"; within:500; content:".valueOf"; within:500; content:"search.objectMetadata"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16419; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44955; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Acrobat TrueTypeFont file out of bounds read attempt"; flow:to_server,established; file_data; content:"|48 89 6C 4F CB 0A C2 40 0C BC E7 2B F2 05 31 9B 66 77 BB 50 7A A8 56 C1 9B BA E0 41 C4 83 AF 8B 15 EC C5 DF 37 6A 45 04 09 93 99 4C E6 90 DC 80 91 D1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16417; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44950; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Acrobat TrueTypeFont file out of bounds read attempt"; flow:to_client,established; file_data; content:"|48 89 6C 4F CB 0A C2 40 0C BC E7 2B F2 05 31 9B 66 77 BB 50 7A A8 56 C1 9B BA E0 41 C4 83 AF 8B 15 EC C5 DF 37 6A 45 04 09 93 99 4C E6 90 DC 80 91 D1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16417; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44949; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader double free attempt"; flow:to_server,established; file_data; content:"this.addAnnot|28|"; content:".setProps|28|"; within:250; content:"inReplyTo"; within:250; content:".popupOpen"; within:250; content:".width"; within:50; metadata:service smtp; reference:cve,2017-16420; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44948; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader double free attempt"; flow:to_client,established; file_data; content:"this.addAnnot|28|"; content:".setProps|28|"; within:250; content:"inReplyTo"; within:250; content:".popupOpen"; within:250; content:".width"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16420; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44947; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat field dictionary value Unicode buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"/Annot/Subtype"; content:"/DV "; within:500; content:"<FEFF00"; within:20; fast_pattern; pcre:"/\/Annot\/Subtype((?!endobj).)*\/DV\s+\<FEFF00[0-9a-zA-Z]+>/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16368; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44940; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat field dictionary value Unicode buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"/Annot/Subtype"; content:"/DV "; within:500; content:"<FEFF00"; within:20; fast_pattern; pcre:"/\/Annot\/Subtype((?!endobj).)*\/DV\s+\<FEFF00[0-9a-zA-Z]+>/smi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16368; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44939; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Type"; content:"/Measure"; within:20; fast_pattern; content:"<<"; within:500; content:"/F"; within:200; pcre:"/\x2FType\s*\x2FMeasure.*?<<\s*\x2F([UCO]|R[TD]|[PS]S)[\x2F\s]+((?!>>|\x2FF).)+\x2FF((?!\s*\x2F[FD]\s*\x2FD\s+\d+\s*(\x2FFD|>>)|\x2F[RT]\s*(>>|\x2FFD)).)+>>/msi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16364; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44934; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Type"; content:"/Measure"; within:20; fast_pattern; content:"<<"; within:500; content:"/F"; within:200; pcre:"/\x2FType\s*\x2FMeasure.*?<<\s*\x2F([UCO]|R[TD]|[PS]S)[\x2F\s]+((?!>>|\x2FF).)+\x2FF((?!\s*\x2F[FD]\s*\x2FD\s+\d+\s*(\x2FFD|>>)|\x2F[RT]\s*(>>|\x2FFD)).)+>>/msi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16364; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44933; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat thermometer object untrusted pointer dereference attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"/JavaScript"; content:"__proto__"; distance:0; content:"app.thermometer"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16372; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:denial-of-service; sid:44926; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat thermometer object untrusted pointer dereference attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"/JavaScript"; content:"__proto__"; distance:0; content:"app.thermometer"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16372; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:denial-of-service; sid:44925; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader PrintParams out of bounds array index attempt"; flow:to_server,established; content:"|2F|JavaScript"; content:"this.print"; within:50; pcre:"/this\x2Eprint\s*\x5C\x28\s*true/"; metadata:service smtp; reference:cve,2017-16391; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44915; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader PrintParams out of bounds array index attempt"; flow:to_client,established; content:"|2F|JavaScript"; content:"this.print"; within:50; pcre:"/this\x2Eprint\s*\x5C\x28\s*true/"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16391; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44914; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader javscript use after free attempt"; flow:to_server, established; file_data; flowbits:isset,file.pdf; content:"/JavaScript"; content:"addField"; content:"__defineGetter__"; content:"borderStyle"; within:100; metadata:service smtp; reference:cve,2017-16390; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44907; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader javscript use after free attempt"; flow:to_client, established; file_data; flowbits:isset,file.pdf; content:"/JavaScript"; content:"addField"; content:"__defineGetter__"; content:"borderStyle"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16390; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44906; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat untrusted pointer dereference attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"/JavaScript"; content:"setPageAction"; within:150; content:"exportAsFDF"; within:150; content:"__proto__"; within:150; content:"AFSignature_Format"; within:150; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16373; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44905; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat untrusted pointer dereference attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"/JavaScript"; content:"setPageAction"; within:150; content:"exportAsFDF"; within:150; content:"__proto__"; within:150; content:"AFSignature_Format"; within:150; metadata:service smtp; reference:cve,2017-16373; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44904; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader PDF embedded javascript events use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; content:"addField"; within:200; content:"addField"; within:200; content:"setAction"; within:200; content:"scroll"; within:200; content:"setFocus"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16389; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44901; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader PDF embedded javascript events use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; content:"addField"; within:200; content:"addField"; within:200; content:"setAction"; within:200; content:"scroll"; within:200; content:"setFocus"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16389; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44900; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader out of bounds memory access violation attempt"; flow:to_server,established; file_data; content:"cfef|00 04 00 00 00 00 00 02 00 01 00 00 00 03 00 02 00 19 00 03 00 03 00 01 00 00 00 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16405; reference:url,helpx.adobe.com/security/products/reader/apsb17-36.html; classtype:attempted-user; sid:45045; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader out of bounds memory access violation attempt"; flow:to_client,established; file_data; content:"cfef|00 04 00 00 00 00 00 02 00 01 00 00 00 03 00 02 00 19 00 03 00 03 00 01 00 00 00 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16405; reference:url,helpx.adobe.com/security/products/reader/apsb17-36.html; classtype:attempted-user; sid:45044; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader Annotation use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"inReplyTo"; content:"toggleNoView"; within:100; content:"inReplyTo"; content:"modDate"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16398; reference:cve,2018-4959; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:45041; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader Annotation use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"inReplyTo"; content:"toggleNoView"; within:100; content:"inReplyTo"; content:"modDate"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16398; reference:cve,2018-4959; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:45040; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader Annotation use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"util.printf"; fast_pattern:only; content:"/JavaScript"; content:"toString"; distance:0; content:"__defineGetter__"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16388; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:45036; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader Annotation use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"util.printf"; fast_pattern:only; content:"/JavaScript"; content:"toString"; distance:0; content:"__defineGetter__"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16388; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:45035; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF JPEG2000 image coding style default information disclosure attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"|FF 4F FF 51|"; content:"|FF 52 00 0C 00 01 00 06 00 05 03 03 0E 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2017-16387; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:misc-activity; sid:45030; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF JPEG2000 image coding style default information disclosure attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|FF 4F FF 51|"; content:"|FF 52 00 0C 00 01 00 06 00 05 03 03 0E 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16387; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:misc-activity; sid:45029; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat out of bound read exploitation attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"/JavaScript"; content:"setAction"; distance:0; content:"Calculate"; within:50; content:"calculateNow"; fast_pattern:only; metadata:service smtp; reference:cve,2017-16414; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:45028; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat out of bound read exploitation attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"/JavaScript"; content:"setAction"; distance:0; content:"Calculate"; within:50; content:"calculateNow"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16414; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:45027; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat out of bound read exploitation attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"/Type"; content:"/Annot"; distance:0; content:"/FT"; distance:0; content:"/DA"; distance:0; content:"|FF|"; within:200; pcre:"/\x2FDA\s*\x28[^\x29]*\xFF/smi"; metadata:service smtp; reference:cve,2017-16414; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:45024; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat out of bound read exploitation attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"/Type"; content:"/Annot"; distance:0; content:"/FT"; distance:0; content:"/DA"; distance:0; content:"|FF|"; within:200; pcre:"/\x2FDA\s*\x28[^\x29]*\xFF/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-16414; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:45023; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader getAnnots exploit attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"getAnnots"; fast_pattern:only; pcre:"/getAnnots\x5C?\([^\x29\x2C]+\x2C\s*[^\x29\x2C]+\x2C\s*[^\x29\x2C]+\x2C\s*-\d/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,34736; reference:cve,2009-1492; classtype:attempted-user; sid:45369; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JavaScript XFA engine use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"xfa.form.form1.name1"; content:"xfa.form.form1.name1.#validate[0].#picture[0]"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4913; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45696; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JavaScript XFA engine use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"xfa.form.form1.name1"; content:"xfa.form.form1.name1.#validate[0].#picture[0]"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4913; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45695; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JBIG2 decoder use after free attempt"; flow:to_server,established; file_data; content:"|32 EF 37 0E 49 84 87 DD 9D 2D DC C7 8E E2 4D FE E9 6B 9A 2E 08 46 FA AC D1 05 43 FC 2F 18 E4 4F|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4892; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45737; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JBIG2 decoder use after free attempt"; flow:to_client,established; file_data; content:"|32 EF 37 0E 49 84 87 DD 9D 2D DC C7 8E E2 4D FE E9 6B 9A 2E 08 46 FA AC D1 05 43 FC 2F 18 E4 4F|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4892; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45736; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Widget"; content:"|2E FE FF|"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4882; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45728; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Widget"; content:"|2E FE FF|"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4882; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45727; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Widget"; content:"|20 FE FF|"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4882; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45726; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Widget"; content:"|20 FE FF|"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4882; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45725; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JS("; content:"|2E FE FF|"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4882; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45724; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JS("; content:"|2E FE FF|"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4882; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45723; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".getOCGs("; fast_pattern; content:".setIntent("; within:150; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4910; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-admin; sid:45720; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".getOCGs("; fast_pattern; content:".setIntent("; within:150; metadata:service smtp; reference:cve,2018-4910; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-admin; sid:45719; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader annotation object out of bounds read attempt"; flow:to_server,established; file_data; content:"Object_17 = this.addAnnot({type:"; fast_pattern:only; metadata:service smtp; reference:cve,2018-4900; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45785; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader annotation object out of bounds read attempt"; flow:to_client,established; file_data; content:"Object_17 = this.addAnnot({type:"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4900; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-admin; sid:45784; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".getAnnotsRichMedia|28|"; nocase; content:"for|28|"; within:40; nocase; content:".activated=true"; nocase; content:".callAS("; distance:0; nocase; content:".callAS("; within:60; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4902; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-dos; sid:45869; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".getAnnotsRichMedia|28|"; nocase; content:"for|28|"; within:40; nocase; content:".activated=true"; nocase; content:".callAS("; distance:0; nocase; content:".callAS("; within:60; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4902; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-dos; sid:45868; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"docID"; fast_pattern:only; content:"trailer"; content:"/ID"; distance:0; content:!"]"; within:150; pcre:"/ID\s*?\[\s*?[^\]]*?<[a-fA-F0-9]{140,}>/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4901; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45867; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"docID"; fast_pattern:only; content:"trailer"; content:"/ID"; distance:0; content:!"]"; within:150; pcre:"/ID\s*?\[\s*?[^\]]*?<[a-fA-F0-9]{140,}>/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4901; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45866; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|A4 CA A1 04 6B AF 54 5B 11 5B B1 88 71 F0 8E FB D9 90 AC 72 22 BE BB 27 A8 58 E8 E9 56 B3 30 DF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4911; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45865; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|A4 CA A1 04 6B AF 54 5B 11 5B B1 88 71 F0 8E FB D9 90 AC 72 22 BE BB 27 A8 58 E8 E9 56 B3 30 DF|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4911; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45864; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"bookmarkRoot"; content:"createChild"; within:50; content:"children"; content:"execute"; within:150; content:"remove"; within:200; content:"closeDoc"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4911; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45863; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"bookmarkRoot"; content:"createChild"; within:50; content:"children"; content:"execute"; within:150; content:"remove"; within:200; content:"closeDoc"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4911; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45862; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Microsoft Edge pdf parsing information disclosure attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/EmbeddedFile"; nocase; content:"3C736372697074"; within:500; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-0998; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0998; classtype:attempted-recon; sid:46227; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Microsoft Edge pdf parsing information disclosure attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/EmbeddedFile"; nocase; content:"3C736372697074"; within:500; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-0998; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0998; classtype:attempted-recon; sid:46226; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt"; flow:to_server,established; file_data; content:"|93 22 02 65 90 2C 26 17 C1 11 25 59 CC 74 24 64 E2 D3 9F 3C 1D 8B B9 A2 64 56 70 15 D6 01 9B C1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4227; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:46491; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt"; flow:to_client,established; file_data; content:"|93 22 02 65 90 2C 26 17 C1 11 25 59 CC 74 24 64 E2 D3 9F 3C 1D 8B B9 A2 64 56 70 15 D6 01 9B C1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4227; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:46490; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|00 00 00 0C 6A 50 20 20 0D 0A 87 0A|"; fast_pattern:only; content:"jp2h"; content:"ihdr"; within:4; distance:4; content:"colr"; within:18; distance:18; byte_test:4,>,10000,-8,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4985; reference:url,helpx.adobe.com/security/products/reader/APSB18-09.html; classtype:attempted-user; sid:46732; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"|00 00 00 0C 6A 50 20 20 0D 0A 87 0A|"; fast_pattern:only; content:"jp2h"; content:"ihdr"; within:4; distance:4; content:"colr"; within:18; distance:18; byte_test:4,>,10000,-8,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4985; reference:url,helpx.adobe.com/security/products/reader/APSB18-09.html; classtype:attempted-user; sid:46731; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader pointer dereference attempt"; flow:to_server,established; content:"|0A|14 0 obj|0A 28 1A CA 20 4E 2A 05 7B 03 00 DD FF 1E 62 76 26 B3 29 0A 65 6E 64|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4987; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46724; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader pointer dereference attempt"; flow:to_client,established; content:"|0A|14 0 obj|0A 28 1A CA 20 4E 2A 05 7B 03 00 DD FF 1E 62 76 26 B3 29 0A 65 6E 64|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4987; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46723; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:".addField"; content:".addAnnot"; within:500; content:".popupOpen"; within:1000; distance:-500; content:".setAction"; within:1000; distance:-500; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4961; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46722; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"addField"; content:"addAnnot"; within:500; content:"popupOpen"; within:1000; distance:-500; content:"setAction"; within:1000; distance:-500; content:"setFocus"; within:1000; distance:-500; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4961; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46721; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|7E 96 5F 71 EE 89 45 B2 88 0F 6A 50 1E 50 24 31 51 50 40 A2 4F 4B B3 DD 46 63 E9 96 B6 03 0D F0|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-4988; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-admin; sid:46716; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Viewer_Form_string_Viewer"; content:"findComponent("; within:100; content:"cType"; within:25; nocase; content:"Plugin"; within:15; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-4988; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-admin; sid:46715; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".CBBBRInit("; nocase; content:".closeDoc("; within:500; nocase; content:"app.doc.ADBCAnnotEnumerator("; within:200; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4980; reference:url,helpx.adobe.com/security/products/reader/apsb18-09.html; classtype:attempted-user; sid:46706; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".CBBBRInit("; nocase; content:".closeDoc("; within:500; nocase; content:"app.doc.ADBCAnnotEnumerator("; within:200; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4980; reference:url,helpx.adobe.com/security/products/reader/apsb18-09.html; classtype:attempted-user; sid:46705; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|2F|XFA"; fast_pattern:only; content:"activity=|22|initialize|22|"; nocase; content:"activity=|22|initialize|22|"; within:500; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16037; reference:cve,2018-16038; reference:cve,2018-16039; reference:cve,2018-4952; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:46697; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|2F|XFA"; fast_pattern:only; content:"activity=|22|initialize|22|"; nocase; content:"activity=|22|initialize|22|"; within:500; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16037; reference:cve,2018-16038; reference:cve,2018-16039; reference:cve,2018-4952; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-09.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:46696; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<event"; fast_pattern; content:"activity"; within:50; content:"initialize"; within:50; content:"xfa.form"; within:250; content:"Ref"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4953; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46687; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<event"; fast_pattern; content:"activity"; within:50; content:"initialize"; within:50; content:"xfa.form"; within:250; content:"Ref"; within:250; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4953; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46686; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader security bypass attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".launchURL("; fast_pattern; content:"?@"; within:250; pcre:"/\x2elaunchURL\x28[\x22\x27][^\x22\x27]*?\x3f\x40/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4979; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-admin; sid:46681; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader security bypass attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".launchURL("; fast_pattern; content:"?@"; within:250; pcre:"/\x2elaunchURL\x28[\x22\x27][^\x22\x27]*?\x3f\x40/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4979; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-admin; sid:46680; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/GoToR"; fast_pattern:only; content:"/F"; content:"|28 5C 5C 5C 5C|"; within:100; content:"|5C 5C|"; within:260; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4993; reference:url,attack.mitre.org/techniques/T1003; reference:url,attack.mitre.org/techniques/T1081; reference:url,attack.mitre.org/techniques/T1214; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-recon; sid:46678; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/GoToE"; fast_pattern:only; content:"/F"; content:"|28 5C 5C 5C 5C|"; within:100; content:"|5C 5C|"; within:260; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15979; reference:cve,2018-4993; reference:url,attack.mitre.org/techniques/T1003; reference:url,attack.mitre.org/techniques/T1081; reference:url,attack.mitre.org/techniques/T1214; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-40.html; classtype:attempted-recon; sid:46677; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/GoToE"; fast_pattern:only; content:"/F"; content:"|28 5C 5C 5C 5C|"; within:100; content:"|5C 5C|"; within:260; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15979; reference:cve,2018-4993; reference:url,attack.mitre.org/techniques/T1003; reference:url,attack.mitre.org/techniques/T1081; reference:url,attack.mitre.org/techniques/T1214; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-40.html; classtype:attempted-recon; sid:46676; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/GoToR"; fast_pattern:only; content:"/F"; content:"|28 5C 5C 5C 5C|"; within:100; content:"|5C 5C|"; within:260; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4993; reference:url,attack.mitre.org/techniques/T1003; reference:url,attack.mitre.org/techniques/T1081; reference:url,attack.mitre.org/techniques/T1214; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-recon; sid:46675; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt"; flow:to_server,established; file_data; content:"this.getAnnots(19).attachIcon = true |3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4958; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46658; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt"; flow:to_client,established; file_data; content:"this.getAnnots(19).attachIcon = true |3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4958; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46657; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction"; content:"/JavaScript"; content:".getField("; within:500; content:".setFocus()|3B|"; within:50; content:"app.execMenuItem(|22|GeneralPrefs|22|)|3B|"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4983; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46654; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction"; content:"/JavaScript"; content:".getField("; within:500; content:".setFocus()|3B|"; within:50; content:"app.execMenuItem(|22|GeneralPrefs|22|)|3B|"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4983; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46653; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA form use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".instanceManager.addInstance"; fast_pattern:only; content:"<event"; nocase; content:"indexChange"; within:100; nocase; content:".instanceManager.removeInstance"; within:300; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4954; reference:cve,2018-4974; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46650; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA form use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".instanceManager.addInstance"; fast_pattern:only; content:"<event"; nocase; content:"indexChange"; within:100; nocase; content:".instanceManager.removeInstance"; within:300; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4954; reference:cve,2018-4974; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46649; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction"; content:"/JS"; distance:0; content:"xfa.resolveNode"; distance:0; content:"xfa.form"; within:20; content:"count"; within:50; content:"xfa.layout.relayout"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4977; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46646; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction"; content:"/JS"; distance:0; content:"xfa.resolveNode"; distance:0; content:"xfa.form"; within:20; content:"count"; within:50; content:"xfa.layout.relayout"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4977; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46645; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"getOCGs"; fast_pattern:only; content:"__defineGetter__"; content:"setIntent"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4962; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46639; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"getOCGs"; fast_pattern:only; content:"__defineGetter__"; content:"setIntent"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4962; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-09.html; classtype:attempted-user; sid:46638; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader font enumeration use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|E7 8F 58 0F F8 20 97 3D 84 B9 EF 4E 25 C1 2D 76 9C 5D 6B 1F 1F DA 2A C1 43 6A E1 12 36 0E EC 65|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4971; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-09.html; classtype:attempted-user; sid:46810; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader font enumeration use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|E7 8F 58 0F F8 20 97 3D 84 B9 EF 4E 25 C1 2D 76 9C 5D 6B 1F 1F DA 2A C1 43 6A E1 12 36 0E EC 65|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4971; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-09.html; classtype:attempted-user; sid:46809; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF ADOBE ActiveX Browser Plugin client side request injection attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"<event"; content:"<submit"; within:100; content:"textEncoding="; within:150; content:"&#"; within:50; pcre:"/textEncoding=\x22.*&#x0?D\x3b&#x0?A\x3b/iG"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4995; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-4995; classtype:attempted-user; sid:46857; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF ADOBE ActiveX Browser Plugin client side request injection attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"<event"; content:"<submit"; within:100; content:"textEncoding="; within:150; content:"&#"; within:50; pcre:"/textEncoding=\x22.*&#x0?D\x3b&#x0?A\x3b/iG"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4995; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-4995; classtype:attempted-user; sid:46856; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Foxit Reader text annotations use after free attempt"; flow:to_client,established; file_data; content:"a = this.addAnnot({type:|22|Text|22|, page: 0, name:|22|uaf|22|})|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-9958; classtype:attempted-user; sid:48113; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Foxit Reader uninitialized pointer leak attempt"; flow:to_client,established; file_data; content:"var leaked = stolen[0] & 0xffff0000|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-9958; classtype:attempted-user; sid:48112; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Foxit Reader text annotations use after free attempt"; flow:to_server,established; file_data; content:"a = this.addAnnot({type:|22|Text|22|, page: 0, name:|22|uaf|22|})|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-9958; classtype:attempted-user; sid:48111; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Foxit Reader uninitialized pointer leak attempt"; flow:to_server,established; file_data; content:"var leaked = stolen[0] & 0xffff0000|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-9948; classtype:attempted-user; sid:48110; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF C2 00 11 08 00 20 00 20 03 01 22 00 02 11 01 03 11 01 FF C4 00 18 00 01 01 00 03 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12754; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48103; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<image>/9j/4AAQSkZJRgABAQIAHAAcAAD/2wBDASgcHvj4+Pj4+Dx2QUF/+"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12754; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48102; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF C2 00 11 08 00 20 00 20 03 01 22 00 02 11 01 03 11 01 FF C4 00 18 00 01 01 00 03 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12754; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48101; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<image>/9j/4AAQSkZJRgABAQIAHAAcAAD/2wBDASgcHvj4+Pj4+Dx2QUF/+"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12754; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48100; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XLST parsing engine use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; fast_pattern:only; content:"XMLData.parse"; content:"app.alert"; distance:0; content:".applyXSL"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12853; reference:url,helpx.adobe.com/security/products/reader/apsb18-30.html; classtype:attempted-user; sid:48042; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XLST parsing engine use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; fast_pattern:only; content:"XMLData.parse"; content:"app.alert"; distance:0; content:".applyXSL"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12853; reference:url,helpx.adobe.com/security/products/reader/apsb18-30.html; classtype:attempted-user; sid:48041; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader malformed JavaScript input out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"getAnnots("; nocase; content:".page"; within:10; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15925; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48021; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader malformed JavaScript input out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"getAnnots("; nocase; content:".page"; within:10; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15925; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48020; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader malformed JavaScript input out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.execMenuItem("; fast_pattern; content:"SinglePage"; within:20; nocase; content:"app.execMenuItem("; within:100; nocase; content:"PrevPage"; within:20; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15923; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48019; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader malformed JavaScript input out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; content:"app.execMenuItem("; fast_pattern; content:"SinglePage"; within:20; nocase; content:"app.execMenuItem("; within:100; nocase; content:"PrevPage"; within:20; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15923; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48018; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JavaScript pointer offset out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"3H236OQKCWO2QNEXO061QWDERPGFXLBY9L2J0Z7UPW0EUAVWKNL9ILCKCAMEEZOPNENEDXCF4P42LTX62AEGNNNZZPSJHGM8KH7F"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15921; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48001; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JavaScript pointer offset out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"3H236OQKCWO2QNEXO061QWDERPGFXLBY9L2J0Z7UPW0EUAVWKNL9ILCKCAMEEZOPNENEDXCF4P42LTX62AEGNNNZZPSJHGM8KH7F"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15921; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:48000; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Pro heap overflow attempt"; flow:to_server,established; file_data; content:"/9j/4AAQSkZJRgABAgEAeAB4AAD/4Qim"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12847; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47978; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Pro heap overflow attempt"; flow:to_client,established; file_data; content:"/9j/4AAQSkZJRgABAgEAeAB4AAD/4Qim"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12847; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47977; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JavaScript engine use after free attempt"; flow:to_server,established; file_data; content:".getField(|22|bq|22|).setFocus()|3B 0D 0A|app.execMenuItem(|22|GoToPage|22|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15924; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47974; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JavaScript engine use after free attempt"; flow:to_client,established; file_data; content:".getField(|22|bq|22|).setFocus()|3B 0D 0A|app.execMenuItem(|22|GoToPage|22|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15924; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47973; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JPEG2000 out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JPXDecode"; content:"stream"; within:150; content:"|FF 4F FF 51|"; within:150; content:"|FF|"; within:300; byte_jump:2,1,relative; content:"|FF 53|"; within:2; distance:-2; byte_test:2,>,43,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12839; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47970; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JPEG2000 out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JPXDecode"; content:"stream"; within:150; content:"|FF 4F FF 51|"; within:150; content:"|FF|"; within:300; byte_jump:2,1,relative; content:"|FF 53|"; within:2; distance:-2; byte_test:2,>,43,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12839; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47969; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JPEG2000 out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JPXDecode"; content:"stream"; within:150; content:"|FF 4F FF 51|"; within:150; content:"|FF|"; within:300; byte_jump:2,1,relative; content:"|FF 53|"; within:2; distance:-2; byte_test:2,<,9,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12839; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47968; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JPEG2000 out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JPXDecode"; content:"stream"; within:150; content:"|FF 4F FF 51|"; within:150; content:"|FF|"; within:300; byte_jump:2,1,relative; content:"|FF 53|"; within:2; distance:-2; byte_test:2,<,9,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12839; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47967; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader getProps Javascript heap overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"try { Object_17.setProps(Object_23.getProps())|3B| } catch(e) {}"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12836; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47966; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader getProps Javascript heap overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"try { Object_17.setProps(Object_23.getProps())|3B| } catch(e) {}"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12836; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47965; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JavaScript Engine use after free attempt"; flow:to_server,established; file_data; content:"_33.__defineSetter__(|22|commitOnSelChange|22|, function(newval)"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15920; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47948; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JavaScript Engine use after free attempt"; flow:to_client,established; file_data; content:"_33.__defineSetter__(|22|commitOnSelChange|22|, function(newval)"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15920; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47947; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Distiller invalid Keywords tag double free attempt"; flow:to_server,established; file_data; content:"pdfmark"; fast_pattern:only; content:"/Keywords"; pcre:"/\x2fKeywords\x20*?\x28[^\x29]+?[^\x5c]\x28/"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12841; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47946; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Distiller invalid Keywords tag double free attempt"; flow:to_client,established; file_data; content:"pdfmark"; fast_pattern:only; content:"/Keywords"; pcre:"/\x2fKeywords\x20*?\x28[^\x29]+?[^\x5c]\x28/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12841; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47945; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader rendering engine use-after-free attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"|CA 08 45 56 44 DA 45 5B 51 28 12 B4 62 0E 7A 58 28 6A 0E 62 B7 A8 10 34 68 83 1F 75 29 01 C7 12|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12831; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47938; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader rendering engine use-after-free attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|CA 08 45 56 44 DA 45 5B 51 28 12 B4 62 0E 7A 58 28 6A 0E 62 B7 A8 10 34 68 83 1F 75 29 01 C7 12|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12831; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47937; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JavaScript engine heap overflow attempt"; flow:to_server,established; file_data; content:"opacity: -1385122851, popupRect: Object_1, toggleNoBiew: false})"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12846; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47931; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JavaScript engine heap overflow attempt"; flow:to_client,established; file_data; content:"opacity: -1385122851, popupRect: Object_1, toggleNoBiew: false})"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12846; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47930; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JavaScript endInitiatorMailOperation heap overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"Collab.endInitiatorMailOperation"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12832; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47929; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JavaScript endInitiatorMailOperation heap overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Collab.endInitiatorMailOperation"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12832; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47928; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JavaScript annotation object rotation use-after-free attempt"; flow:to_server,established; file_data; content:"YGCCN9DIYUIA6NDUF20ZH5XAE9N85OXQ04Q8MDYDILS52LTLWQKXPHM5RUA1Q33H6IDIFUWEA62A5P4NPICA4LDRJAC1HNSOE7V1A5KDE"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service smtp; reference:cve,2018-12769; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47925; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JavaScript annotation object rotation use-after-free attempt"; flow:to_client,established; file_data; content:"YGCCN9DIYUIA6NDUF20ZH5XAE9N85OXQ04Q8MDYDILS52LTLWQKXPHM5RUA1Q33H6IDIFUWEA62A5P4NPICA4LDRJAC1HNSOE7V1A5KDE"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12769; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47924; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader PDF out of bounds read attempt"; flow:to_client,established; file_data; content:"zoomtype.refW|3B 0D 0A|try{this.getField(|22|mydata0|22|).value = 0}"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12829; reference:url,helpx.adobe.com/security/products/acrobat/ASPB18-30.html; classtype:attempted-user; sid:47923; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader PDF out of bounds read attempt"; flow:to_server,established; file_data; content:"zoomtype.refW|3B 0D 0A|try{this.getField(|22|mydata0|22|).value = 0}"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12829; reference:url,helpx.adobe.com/security/products/acrobat/ASPB18-30.html; classtype:attempted-user; sid:47922; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader PDF out of bounds read attempt"; flow:to_client,established; file_data; content:"|67 F0 E4 38 32 0E A9 45 A3 3E 10 4F 29 D8 0B 7A 6B 69 70 86 8E 5A 25 96 C0 53 71 47 50 4B A4 CE|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12829; reference:url,helpx.adobe.com/security/products/acrobat/ASPB18-30.html; classtype:attempted-user; sid:47921; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader PDF out of bounds read attempt"; flow:to_server,established; file_data; content:"|67 F0 E4 38 32 0E A9 45 A3 3E 10 4F 29 D8 0B 7A 6B 69 70 86 8E 5A 25 96 C0 53 71 47 50 4B A4 CE|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12829; reference:url,helpx.adobe.com/security/products/acrobat/ASPB18-30.html; classtype:attempted-user; sid:47920; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Pro malformed embedded TTF file memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xps; file_data; content:"|2A 48 F3 A1 9D 7C 8A CB E2 E2 8A B5 31 A9 16 91 B6 99 F6 4E F0 34 46 4C 4C C9 A4 50 A9 C6 66 AC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5031; reference:url,www.adobe.com/support/security/bulletins/apsb18-21.html; classtype:attempted-user; sid:47777; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Pro malformed embedded TTF file memory corruption attempt"; flow:to_server,established; flowbits:isset,file.xps; file_data; content:"|2A 48 F3 A1 9D 7C 8A CB E2 E2 8A B5 31 A9 16 91 B6 99 F6 4E F0 34 46 4C 4C C9 A4 50 A9 C6 66 AC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5031; reference:url,www.adobe.com/support/security/bulletins/apsb18-21.html; classtype:attempted-user; sid:47776; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Pro malformed embedded TTF file memory corruption attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|00 00 04 00 20 00 00 00 04 00 04 00 01 00 00 F0 6E FF FF 00 00 F0 6E FF FF 10 16 00 01 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5031; reference:url,www.adobe.com/support/security/bulletins/apsb18-21.html; classtype:attempted-user; sid:47775; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Pro malformed embedded TTF file memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|00 00 04 00 20 00 00 00 04 00 04 00 01 00 00 F0 6E FF FF 00 00 F0 6E FF FF 10 16 00 01 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5031; reference:url,www.adobe.com/support/security/bulletins/apsb18-21.html; classtype:attempted-user; sid:47774; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JBIG malformed data out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|FD FF 00 8B 00 00 10 E7 FF 00 00 00 00 1F 00 00 00 0A 00 5E 00 00 20 00 D1 00 43 EE 21 02 47 34|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12767; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47700; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JBIG malformed data out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|FD FF 00 8B 00 00 10 E7 FF 00 00 00 00 1F 00 00 00 0A 00 5E 00 00 20 00 D1 00 43 EE 21 02 47 34|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12767; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47699; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt"; flow:to_server,established; file_data; content:"|38 1B 01 00 00 64 6D C9 1B C5 6F EE 80 37 A0 85 D7 7A 76 7E 01 00 52 37 18 00 11 D1 5F E8 39 8D|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-15930; reference:cve,2018-15932; reference:cve,2018-15933; reference:cve,2018-15935; reference:cve,2018-15936; reference:cve,2018-15938; reference:cve,2018-5047; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-recon; sid:47688; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt"; flow:to_client,established; file_data; content:"|38 1B 01 00 00 64 6D C9 1B C5 6F EE 80 37 A0 85 D7 7A 76 7E 01 00 52 37 18 00 11 D1 5F E8 39 8D|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-15930; reference:cve,2018-15932; reference:cve,2018-15933; reference:cve,2018-15935; reference:cve,2018-15936; reference:cve,2018-15938; reference:cve,2018-5047; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-recon; sid:47687; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt"; flow:to_server,established; file_data; content:"|D7 7A 76 7E 01 00 52 37 18 00 11 D1 5F E8 39 8D AB 00 00 00 3C A5 09 00 C0 5E 62 8D 5C 9D C5 F2|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-15930; reference:cve,2018-15932; reference:cve,2018-15934; reference:cve,2018-15935; reference:cve,2018-15936; reference:cve,2018-15938; reference:cve,2018-15952; reference:cve,2018-5048; reference:cve,2019-7034; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-recon; sid:47686; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt"; flow:to_client,established; file_data; content:"|D7 7A 76 7E 01 00 52 37 18 00 11 D1 5F E8 39 8D AB 00 00 00 3C A5 09 00 C0 5E 62 8D 5C 9D C5 F2|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-15930; reference:cve,2018-15932; reference:cve,2018-15934; reference:cve,2018-15935; reference:cve,2018-15936; reference:cve,2018-15938; reference:cve,2018-15952; reference:cve,2018-5048; reference:cve,2019-7034; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-recon; sid:47685; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JBIG malformed adaptive template pixel out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|00 00 00 04 00 00 00 7F 00 FF 10 FF FF DF F2 47 FF CA 03 00 00 00 00 1F A4 22 FF 00 00 46 FF FF FC 04|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12764; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47667; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JBIG malformed adaptive template pixel out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|00 00 00 04 00 00 00 7F 00 FF 10 FF FF DF F2 47 FF CA 03 00 00 00 00 1F A4 22 FF 00 00 46 FF FF FC 04|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12764; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47666; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JBIG2 symbol header out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"|02 80 00 01 00 00 00 22 19 13 80 00 2D 00 00 01 7F EB 00 00 00 64 7F FF 7F 10 01 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12768; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47648; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JBIG2 symbol header out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|02 80 00 01 00 00 00 22 19 13 80 00 2D 00 00 01 7F EB 00 00 00 64 7F FF 7F 10 01 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12768; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47647; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JBIG engine crafted symbol dictionary out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|20 8D E2 49 00 76 9C D0 FB 7C ED 78 5C 4C FA F9 72 3F 2F 55 C4 1A 53 B3 3A 3E 10 32 A8 FF 13 2B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12765; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47624; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JBIG engine crafted symbol dictionary out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|20 8D E2 49 00 76 9C D0 FB 7C ED 78 5C 4C FA F9 72 3F 2F 55 C4 1A 53 B3 3A 3E 10 32 A8 FF 13 2B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12765; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47623; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"|77 17 F7 EC D9 B3 FD EC E6 E3 7B FA 93 E7 CF 0F 16 19 9B ED 37 F2 0F C1 24 6B DE CF 04 17 09 6B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12808; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-29.html; classtype:attempted-user; sid:47575; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|77 17 F7 EC D9 B3 FD EC E6 E3 7B FA 93 E7 CF 0F 16 19 9B ED 37 F2 0F C1 24 6B DE CF 04 17 09 6B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12808; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-29.html; classtype:attempted-user; sid:47574; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JBIG parsing out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"|00 00 00 20 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 9E E8 54 EC DF EB 09 4E 93 FF AC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12766; reference:cve,2018-12840; reference:cve,2018-12869; reference:cve,2018-12870; reference:cve,2018-12871; reference:cve,2018-12872; reference:cve,2018-12873; reference:cve,2018-12874; reference:cve,2018-15929; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-34.html; classtype:misc-activity; sid:47439; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JBIG parsing out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|00 00 00 20 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 9E E8 54 EC DF EB 09 4E 93 FF AC|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12766; reference:cve,2018-12840; reference:cve,2018-12869; reference:cve,2018-12870; reference:cve,2018-12871; reference:cve,2018-12872; reference:cve,2018-12873; reference:cve,2018-12874; reference:cve,2018-15929; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-34.html; classtype:misc-activity; sid:47438; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader out of bounds read attempt"; flow:to_server,established; file_data; content:"9odfwECEBAdEBAuLi4uLi4nJycnJ/j4+"; metadata:service smtp; reference:cve,2018-5068; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47379; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader out of bounds read attempt"; flow:to_client,established; file_data; content:"9odfwECEBAdEBAuLi4uLi4nJycnJ/j4+"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5068; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47378; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt"; flow:to_server,established; file_data; content:"xfa.datasets.nodes.item(0)|3B 0A 09|var xslt_s = unescape"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5065; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47372; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt"; flow:to_client,established; file_data; content:"xfa.datasets.nodes.item(0)|3B 0A 09|var xslt_s = unescape"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5065; reference:url,attack.mitre.org/techniques/T1220; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47371; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader double free attempt"; flow:to_client,established; file_data; content:"|1F 64 89 FB 2F 11 CA CD B7 54 F8 5B EE E0 6F AB F0 B7 91 FE 16 21 7F 2B BC 1A D9 2E B0 FE 7E 73|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12782; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47366; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader double free attempt"; flow:to_server,established; file_data; content:"|1F 64 89 FB 2F 11 CA CD B7 54 F8 5B EE E0 6F AB F0 B7 91 FE 16 21 7F 2B BC 1A D9 2E B0 FE 7E 73|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-12782; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47365; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Pro out of bounds write attempt"; flow:to_server,established; file_data; content:"|FF 65 DE 64 C0 74 04 48 58 59 BD A0 CA 0D 87 A1 14 98 71 13 C5 14 54 5F B3 50 FA F4 C3 77 BF 03|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-5059; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47335; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Pro out of bounds write attempt"; flow:to_client,established; file_data; content:"|FF 65 DE 64 C0 74 04 48 58 59 BD A0 CA 0D 87 A1 14 98 71 13 C5 14 54 5F B3 50 FA F4 C3 77 BF 03|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5059; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47334; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader out of bounds write attempt"; flow:to_server,to_server,established; file_data; content:"CICb98X02muekzqpJZQru5jJoDi79Dnl"; metadata:service smtp; reference:cve,2018-12755; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47319; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader out of bounds write attempt"; flow:to_client,established; file_data; content:"CICb98X02muekzqpJZQru5jJoDi79Dnl"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12755; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47318; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader use-after-free attempt"; flow:to_server, established; flowbits:isset,file.pdf; file_data; content:"commitOnSelChange"; content:"__defineGetter__"; within:200; distance:-100; content:"addAnnot"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5009; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47298; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader use-after-free attempt"; flow:to_client, established; flowbits:isset,file.pdf; file_data; content:"commitOnSelChange"; content:"__defineGetter__"; within:200; distance:-100; content:"addAnnot"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5009; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47297; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JavaScript exportAsFDFStr out-of-bounds write attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Fields"; nocase; content:"/JavaScript"; nocase; content:"exportAsFDFStr("; distance:0; nocase; content:"getField"; within:100; nocase; content:"setFocus"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5021; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47290; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JavaScript exportAsFDFStr out-of-bounds write attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Fields"; nocase; content:"/JavaScript"; nocase; content:"exportAsFDFStr("; distance:0; nocase; content:"getField"; within:100; nocase; content:"setFocus"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5021; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47289; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JavaScript XSLT parsing out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"xfa.datasets"; nocase; content:"unescape"; within:150; nocase; content:"%u"; within:10; nocase; content:"%u"; within:10; nocase; content:"%u"; within:10; nocase; content:"applyXSL"; distance:0; fast_pattern; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5063; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47288; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JavaScript XSLT parsing out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"xfa.datasets"; nocase; content:"unescape"; within:150; nocase; content:"%u"; within:10; nocase; content:"%u"; within:10; nocase; content:"%u"; within:10; nocase; content:"applyXSL"; distance:0; fast_pattern; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5063; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47287; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JavaScript XSL value-of select transformation out-of-bounds write attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"xfa.datasets"; nocase; content:"unescape"; within:150; nocase; content:"%u"; within:10; nocase; content:"%u"; within:10; nocase; content:"%u"; within:10; nocase; content:"%u"; within:10; nocase; content:"%u"; within:10; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12875; reference:cve,2018-5064; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47271; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JavaScript XSL value-of select transformation out-of-bounds write attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"xfa.datasets"; nocase; content:"unescape"; within:150; nocase; content:"%u"; within:10; nocase; content:"%u"; within:10; nocase; content:"%u"; within:10; nocase; content:"%u"; within:10; nocase; content:"%u"; within:10; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12875; reference:cve,2018-5064; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-30.html; classtype:attempted-user; sid:47270; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"|1E 19 13 A2 00 00 00 C4 88 59 3A 03 24 49 00 00 00 6C 1B 15 51 04 C8 9D F3 0A CC F3 19 22 23 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5036; reference:cve,2018-5041; reference:cve,2018-5049; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47240; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|1E 19 13 A2 00 00 00 C4 88 59 3A 03 24 49 00 00 00 6C 1B 15 51 04 C8 9D F3 0A CC F3 19 22 23 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5036; reference:cve,2018-5041; reference:cve,2018-5049; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47239; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JavaScript annotation out of bound read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/S /JavaScript"; fast_pattern:only; content:"/JS"; content:".addAnnot"; within:150; nocase; content:".addAnnot"; within:150; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5066; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47228; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JavaScript annotation out of bound read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/S /JavaScript"; fast_pattern:only; content:"/JS"; content:".addAnnot"; within:150; nocase; content:".addAnnot"; within:150; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5066; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47227; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader annotated page object out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/Annots"; nocase; content:"/Fields"; within:150; nocase; content:"0 obj"; within:100; nocase; content:"/AA"; within:150; nocase; content:"execMenuItem"; distance:0; nocase; content:"NextPage"; within:15; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5026; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47226; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader annotated page object out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Annots"; nocase; content:"/Fields"; within:150; nocase; content:"0 obj"; within:100; nocase; content:"/AA"; within:150; nocase; content:"execMenuItem"; distance:0; nocase; content:"NextPage"; within:15; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5026; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47225; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt"; flow:to_server,established; file_data; content:"|96 02 00 08 06 52 3C 96 04 00 08 07 08 08 1C 96 02 00 08 09 4E 3C 96 02 00 08 00 1C 96 04 00 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4227; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:47224; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt"; flow:to_client,established; file_data; content:"|96 02 00 08 06 52 3C 96 04 00 08 07 08 08 1C 96 02 00 08 09 4E 3C 96 02 00 08 00 1C 96 04 00 08|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4227; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:47223; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JavaScript object prototype defineSetter out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"defineProperty("; nocase; content:"prototype"; within:20; nocase; content:"prototype"; distance:0; content:"__defineSetter__"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5025; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47222; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JavaScript object prototype defineSetter out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"defineProperty("; nocase; content:"prototype"; within:20; nocase; content:"prototype"; distance:0; content:"__defineSetter__"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5025; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47221; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JavaScript annotation objects out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; nocase; content:"addAnnot"; within:100; nocase; content:"syncAnnotScan"; distance:0; nocase; content:"getAnnots"; within:100; nocase; content:"destroy"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5024; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47215; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JavaScript annotation objects out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; nocase; content:"addAnnot"; within:100; nocase; content:"syncAnnotScan"; distance:0; nocase; content:"getAnnots"; within:100; nocase; content:"destroy"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5024; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47214; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JavaScript form field manipulation out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; nocase; content:".getField"; distance:0; fast_pattern; nocase; content:".setFocus"; within:30; nocase; content:".resetForm"; within:50; nocase; content:".getField"; within:20; nocase; content:".name"; within:20; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5023; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47213; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JavaScript form field manipulation out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; nocase; content:".getField"; distance:0; fast_pattern; nocase; content:".setFocus"; within:30; nocase; content:".resetForm"; within:50; nocase; content:".getField"; within:20; nocase; content:".name"; within:20; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5023; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47212; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JavaScript field manipulation out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; nocase; content:"getNthFieldName"; within:50; nocase; content:"getField"; within:30; nocase; content:"richText"; within:20; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5022; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47190; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JavaScript field manipulation out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; nocase; content:"getNthFieldName"; within:50; nocase; content:"getField"; within:30; nocase; content:"richText"; within:20; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5022; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47189; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader type confusion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"xfa.resolveNode"; content:"template"; within:25; content:"outerform"; within:25; content:"xfa.resolveNode"; within:50; content:"form"; within:25; content:"outerform"; within:25; metadata:service smtp; reference:cve,2018-12794; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47188; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"xfa.resolveNode"; content:"template"; within:25; content:"outerform"; within:25; content:"xfa.resolveNode"; within:50; content:"form"; within:25; content:"outerform"; within:25; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-12794; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47187; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt"; flow:to_server,established; file_data; content:"|0D 40 01 40 24 00 00 00 18 00 00 00 00 00 00 00 41 41 41 41 00 00 00 00 00 00 80 3F 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5067; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47186; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt"; flow:to_client,established; file_data; content:"|0D 40 01 40 24 00 00 00 18 00 00 00 00 00 00 00 41 41 41 41 00 00 00 00 00 00 80 3F 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5067; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47185; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt"; flow:to_server,established; file_data; content:"|D9 86 C9 F6 5B 3D BD ED 7A F2 2F 2D DD B2 B5 D4 7F 91 DA F0 F3 9B DE 0C 3F E5 17 1D 34 D3 41 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12798; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47170; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/PageLabels"; content:"/P"; within:75; isdataat:175,relative; content:"|28|"; within:25; content:!"|29|"; within:150; pcre:"/\x2fPageLabels((?!>>).{0,75}?)\x2fP\s*?\x28[^\x29]{150}/is"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12798; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47169; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt"; flow:to_client,established; file_data; content:"|D9 86 C9 F6 5B 3D BD ED 7A F2 2F 2D DD B2 B5 D4 7F 91 DA F0 F3 9B DE 0C 3F E5 17 1D 34 D3 41 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12798; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47168; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/PageLabels"; content:"/P"; within:75; isdataat:175,relative; content:"|28|"; within:25; content:!"|29|"; within:150; pcre:"/\x2fPageLabels((?!>>).{0,75}?)\x2fP\s*?\x28[^\x29]{150}/is"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12798; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47167; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt"; flow:to_server,established; file_data; content:"<script>"; nocase; content:"function"; within:20; nocase; content:"<input id"; distance:0; content:"type"; within:50; nocase; content:"image"; within:10; nocase; pcre:"/\<script\>[^>]*?function\s?(?P<func>\w+\x28\x29)[^>]*?\.type\s?=\s?[\x27\x22](?P<type>\w+).*?type\s?=\s?[\x27\x22](?!(?P=type)).*?=[\x27\x22](?P=func)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12770; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47165; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt"; flow:to_client,established; file_data; content:"<script>"; nocase; content:"function"; within:20; nocase; content:"<input id"; distance:0; nocase; content:"type"; within:50; nocase; content:"image"; within:10; nocase; pcre:"/\<script\>[^>]*?function\s?(?P<func>\w+\x28\x29)[^>]*?\.type\s?=\s?[\x27\x22](?P<type>\w+).*?type\s?=\s?[\x27\x22](?!(?P=type)).*?=[\x27\x22](?P=func)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12770; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47164; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt"; flow:to_server,established; file_data; content:"<</XFA"; nocase; content:"xfa.resolveNode("; nocase; content:"xfa.form"; within:15; nocase; pcre:"/xfa\.resolveNode\([\x22\x27](?P<nestxfa>xfa\.form(\.\w+?){4})[^>]*?(?P=nestxfa)[^>]*?(?P=nestxfa)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12757; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47163; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt"; flow:to_client,established; file_data; content:"<</XFA"; nocase; content:"xfa.resolveNode("; nocase; content:"xfa.form"; within:15; nocase; pcre:"/xfa\.resolveNode\([\x22\x27](?P<nestxfa>xfa\.form(\.\w+?){4})[^>]*?(?P=nestxfa)[^>]*?(?P=nestxfa)/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12757; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47162; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"__defineGetter__"; content:".removeLinks"; within:100; fast_pattern; content:".addLink"; within:100; content:".rect"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12797; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47150; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"__defineGetter__"; content:".removeLinks"; within:100; fast_pattern; content:".addLink"; within:100; content:".rect"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12797; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47149; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Pro out-of-bounds write attempt"; flow:to_server,established; file_data; content:"|2F|9j|2F|4AAQSkZJRgABAQIAHAAcAAD|2F|2wB"; metadata:service smtp; reference:cve,2018-5070; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48212; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Pro out-of-bounds write attempt"; flow:to_client,established; file_data; content:"|2F|9j|2F|4AAQSkZJRgABAQIAHAAcAAD|2F|2wB"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-5070; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:48211; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Foxit PDF Reader JavaScript annotations use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; nocase; content:".addAnnot"; nocase; content:".getAnnot"; within:200; nocase; content:".destroy"; within:200; nocase; content:".point"; within:200; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-9948; reference:cve,2018-9958; reference:url,foxitsoftware.com/support/security-bulletins.php; classtype:attempted-user; sid:48227; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Foxit PDF Reader JavaScript annotations use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; nocase; content:".addAnnot"; nocase; content:".getAnnot"; within:200; nocase; content:".destroy"; within:50; nocase; content:".point"; within:200; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-9948; reference:cve,2018-9958; reference:url,foxitsoftware.com/support/security-bulletins.php; classtype:attempted-user; sid:48226; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Foxit Reader and PhantomPDF use after free exploitation attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|8B D8 8C 38 05 C7 B7 77 05 3F 15 76 D6 65 3E E2 EC 9C 7F C1 67 0B BF 08 5E 21 FB 83 09 AB 9D 41|"; metadata:service smtp; classtype:attempted-user; sid:48223; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Foxit Reader and PhantomPDF use after free exploitation attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|8B D8 8C 38 05 C7 B7 77 05 3F 15 76 D6 65 3E E2 EC 9C 7F C1 67 0B BF 08 5E 21 FB 83 09 AB 9D 41|"; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:48222; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Foxit Reader TypedArray uninitialized memory disclosure attempt"; flow:to_client,established; file_data; content:"|C8 62 00 51 03 B8 E7 25 32 ED A8 E3 FB 7D 94 DD A4 C1 77 54 47 0F 96 38 A2 0E 85 22 BF 18 C2 D1|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:48248; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Foxit Reader TypedArray uninitialized memory disclosure attempt"; flow:to_server,established; file_data; content:"|C8 62 00 51 03 B8 E7 25 32 ED A8 E3 FB 7D 94 DD A4 C1 77 54 47 0F 96 38 A2 0E 85 22 BF 18 C2 D1|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:48247; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Pro PDF file use-after-free attempt"; flow:to_server,established; file_data; content:"de71de285fd62491890f2f1bedbfb3310f554610"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-5011; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48512; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Pro PDF file use-after-free attempt"; flow:to_client,established; file_data; content:"de71de285fd62491890f2f1bedbfb3310f554610"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-5011; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-21.html; classtype:attempted-user; sid:48511; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat out of bounds read attempt"; flow:to_server,established; file_data; content:"fc.usehref = |22|string|22 3B 0D 0A| o6.nodes.item(0).close()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16033; classtype:attempted-recon; sid:48611; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat out of bounds read attempt"; flow:to_client,established; file_data; content:"fc.usehref = |22|string|22 3B 0D 0A| o6.nodes.item(0).close()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16033; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-41.html; classtype:attempted-recon; sid:48610; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat index file parsing memory corruption attempt"; flow:to_server,established; file_data; content:"println|5C 28 22|exec|3A 5C 5C|nsearch.query|5C 28 5C 5C 22|test|5C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16004; reference:cve,2018-16005; reference:cve,2018-16007; reference:cve,2018-16043; reference:cve,2018-16045; reference:cve,2018-16046; reference:cve,2018-19719; reference:cve,2018-19720; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48599; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat index file parsing memory corruption attempt"; flow:to_client,established; file_data; content:"println|5C 28 22|exec|3A 5C 5C|nsearch.query|5C 28 5C 5C 22|test|5C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16004; reference:cve,2018-16005; reference:cve,2018-16007; reference:cve,2018-16043; reference:cve,2018-16045; reference:cve,2018-16046; reference:cve,2018-19719; reference:cve,2018-19720; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48598; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt"; flow:to_server,established; file_data; content:"</cd></catalog>|22 3B 5C|015|5C|012xml = XMLData.parse|5C|050xml,false|5C|051|3B 5C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16023; reference:cve,2018-16024; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48595; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt"; flow:to_client,established; file_data; content:"</cd></catalog>|22 3B 5C|015|5C|012xml = XMLData.parse|5C|050xml,false|5C|051|3B 5C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16023; reference:cve,2018-16024; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48594; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JavaScript resolveNode use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<</XFA"; content:"= xfa.resolveNode(|22|xfa[0].form[0]"; within:250; fast_pattern; content:"= xfa.resolveNode(|22|xfa[0].template[0]"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-19708; reference:cve,2018-19709; reference:cve,2018-19710; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48585; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JavaScript resolveNode use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<</XFA"; content:"= xfa.resolveNode(|22|xfa[0].form[0]"; within:250; fast_pattern; content:"= xfa.resolveNode(|22|xfa[0].template[0]"; within:100; metadata:service smtp; reference:cve,2018-19708; reference:cve,2018-19709; reference:cve,2018-19710; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48584; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt"; flow:to_server,established; file_data; content:" = function() {|0A| removeAllLinks()|3B 0A| return "; fast_pattern:only; content:"this.addLink(0, [1,2,3,4])."; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16029; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48583; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt"; flow:to_client,established; file_data; content:" = function() {|0A| removeAllLinks()|3B 0A| return "; fast_pattern:only; content:"this.addLink(0, [1,2,3,4])."; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16029; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48582; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader xfa use after free attempt"; flow:to_server,established; file_data; content:"var o7 = xfa.resolveNode(|22|xfa[0].form[0].subform[0].fc[0]|22|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16036; reference:url,url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48579; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader xfa use after free attempt"; flow:to_client,established; file_data; content:"var o7 = xfa.resolveNode(|22|xfa[0].form[0].subform[0].fc[0]|22|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16036; reference:url,url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48578; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"JS(addAnnot({type:'Stamp',rotate"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16034; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48637; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"JS(addAnnot({type:'Stamp',rotate"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16034; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48636; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat PDF XFA node use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; content:"nodes.remove"; content:"/OpenAction"; content:"xfa.host.resetData"; within:250; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-19699; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48632; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat PDF XFA node use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JavaScript"; content:"nodes.remove"; content:"/OpenAction"; content:"xfa.host.resetData"; within:250; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-19699; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48631; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat integer overflow attempt"; flow:to_server,established; file_data; content:"/JS (console.show|5C|(|5C|)|3B||5C|r|5C|nconsole.println|5C|(|22|exec:|5C||5C|nsearch.query|5C|(|5C||5C||22|test|5C||5C||22|, |5C||5C||22|ActiveDoc|5C||5C||22||5C|)|5C|)|22||5C|)|3B||5C|r|5C|n|5C|r|5C|nsearch.query|5C|(|22|test|22|, |22|ActiveDoc|22||5C|)|3B|)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16007; reference:cve,2018-16009; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48628; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat integer overflow attempt"; flow:to_client,established; file_data; content:"/JS (console.show|5C|(|5C|)|3B||5C|r|5C|nconsole.println|5C|(|22|exec:|5C||5C|nsearch.query|5C|(|5C||5C||22|test|5C||5C||22|, |5C||5C||22|ActiveDoc|5C||5C||22||5C|)|5C|)|22||5C|)|3B||5C|r|5C|n|5C|r|5C|nsearch.query|5C|(|22|test|22|, |22|ActiveDoc|22||5C|)|3B|)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16007; reference:cve,2018-16009; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48627; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"RegExp(Array("; byte_test:10,>,0x8000,0,relative,string,dec; content:".join"; within:25; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-19716; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; reference:url,www.talosintelligence.com/reports/TALOS-2018-0704/; classtype:attempted-user; sid:48294; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"RegExp(Array("; byte_test:10,>,0x8000,0,relative,string,dec; content:".join"; within:25; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-19716; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; reference:url,www.talosintelligence.com/reports/TALOS-2018-0704/; classtype:attempted-user; sid:48293; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Pro memory corruption attempt"; flow:to_server,established; file_data; content:"this.addLink(0, [1,2,3,4]).borderColor = arr|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16027; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48739; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Pro memory corruption attempt"; flow:to_client,established; file_data; content:"this.addLink(0, [1,2,3,4]).borderColor = arr|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16027; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48738; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader heap overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|A8 47 82 8D 2C 0F 3F AC DA 03 04 C0 44 59 FC 1C 52 E8 BA A4 59 20 0F CB CF 51 EF C8 FB B9 64 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12830; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48708; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader heap overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|A8 47 82 8D 2C 0F 3F AC DA 03 04 C0 44 59 FC 1C 52 E8 BA A4 59 20 0F CB CF 51 EF C8 FB B9 64 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12830; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48707; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JavaScript extractContents use after free attempt"; flow:to_server,established; file_data; content:".addEventListener"; content:"DOMSubtreeModified"; fast_pattern:only; content:"document.createRange"; content:".extractContents"; within:120; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15992; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48757; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JavaScript extractContents use after free attempt"; flow:to_client,established; file_data; content:".addEventListener"; content:"DOMSubtreeModified"; fast_pattern:only; content:"document.createRange"; content:".extractContents"; within:120; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15992; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48756; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA resolveNode use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/JS"; content:"xfa.resolveNode"; distance:0; content:"xfa.resolveNode"; distance:0; content:"remove"; within:60; content:"remerge"; within:40; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-19700; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48753; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA resolveNode use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JS"; content:"xfa.resolveNode"; distance:0; content:"xfa.resolveNode"; distance:0; content:"remove"; within:60; content:"remerge"; within:40; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-19700; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48752; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader JavaScript resolveNode use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/AcroForm"; content:"/OpenAction"; content:"/JS"; within:20; content:"xfa.resolveNode"; fast_pattern; content:".selectedMember"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-19707; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48751; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader JavaScript resolveNode use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/AcroForm"; content:"/OpenAction"; content:"/JS"; within:20; content:"xfa.resolveNode"; fast_pattern; content:".selectedMember"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-19707; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48750; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat javascript based security bypass attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"search.query(|22|test|22|, |22|ActiveDoc|22|)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16044; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48817; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat javascript based security bypass attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"search.query(|22|test|22|, |22|ActiveDoc|22|)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16044; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48816; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|8F AE CA 1C EC EB CE 55 51 38 DA 37 57 25 E1 D6 7E B8 4A 84 D5 6E 5C 15 1A 4E F6 84 3A 67 3B B8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15984; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48802; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|8F AE CA 1C EC EB CE 55 51 38 DA 37 57 25 E1 D6 7E B8 4A 84 D5 6E 5C 15 1A 4E F6 84 3A 67 3B B8|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15984; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48801; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Pro use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|65 4E 6F 64 65 28 22 78 66 61 5B 30 5D 2E 66 6F 72 6D 5B 30 5D 2E 73 75 62 30 5B 30 5D 22 29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-19698; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48828; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Pro use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|65 4E 6F 64 65 28 22 78 66 61 5B 30 5D 2E 66 6F 72 6D 5B 30 5D 2E 73 75 62 30 5B 30 5D 22 29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-19698; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48827; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader Javascript ANAuthenticateResource use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".ANAuthenticateResource"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16040; reference:url,helpx.adobe.com/security/products/reader/apsb18-41.html; classtype:attempted-user; sid:48849; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader Javascript ANAuthenticateResource use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:".ANAuthenticateResource"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16040; reference:url,helpx.adobe.com/security/products/reader/apsb18-41.html; classtype:attempted-user; sid:48848; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat PDF getLegalWarnings use-after-free attempt"; flow:to_server,established; file_data; content:"/JavaScript"; content:"addAnnot"; within:100; content:"getLegalWarnings"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-19715; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48897; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat PDF getLegalWarnings use-after-free attempt"; flow:to_client,established; file_data; content:"/JavaScript"; content:"addAnnot"; within:100; content:"getLegalWarnings"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-19715; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48896; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt"; flow:to_client,established; flowbits:isset,file.xps; file_data; content:"|94 BC 09 80 1C 57 75 2E 7C 6F 55 EF 6B 55 F5 52 BD EF DB F4 56 DD D5 DB F4 EC 9A 45 1A 8D F6 91|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15996; reference:url,helpx.adobe.com/security/products/reader/apsb18-41.html; classtype:attempted-user; sid:48893; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt"; flow:to_server,established; flowbits:isset,file.xps; file_data; content:"|94 BC 09 80 1C 57 75 2E 7C 6F 55 EF 6B 55 F5 52 BD EF DB F4 56 DD D5 DB F4 EC 9A 45 1A 8D F6 91|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15996; reference:url,helpx.adobe.com/security/products/reader/apsb18-41.html; classtype:attempted-user; sid:48892; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"|00 04 00 00 00 00 FF FF 00 00 00 04 00 00 00 00 FF FF 00 00 00 4A 00 00 00 01 00 00 00 0A 00 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-15996; reference:url,helpx.adobe.com/security/products/reader/apsb18-41.html; classtype:attempted-user; sid:48891; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|00 04 00 00 00 00 FF FF 00 00 00 04 00 00 00 00 FF FF 00 00 00 4A 00 00 00 01 00 00 00 0A 00 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-15996; reference:url,helpx.adobe.com/security/products/reader/apsb18-41.html; classtype:attempted-user; sid:48890; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat PDF out-of-bounds read attempt"; flow:to_server,established; file_data; content:"/OpenAction"; depth:50; content:"execMenuItem"; within:100; content:"TwoPages"; within:20; content:"zoomtype"; within:50; content:"pref"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-19717; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48889; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat PDF out-of-bounds read attempt"; flow:to_client,established; file_data; content:"/OpenAction"; depth:50; content:"execMenuItem"; within:100; content:"TwoPages"; within:20; content:"zoomtype"; within:50; content:"pref"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-19717; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48888; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader Javascript out-of-bounds read"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"doc.ANClipPrec3"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-19701; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48945; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader Javascript out-of-bounds read"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"doc.ANClipPrec3"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16047; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48944; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader Javascript out-of-bounds read"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"submitForm"; content:"cSubmitAs:'XML'"; distance:1; fast_pattern; content:"oXML:XMLData"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16031; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48943; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader Javascript out-of-bounds read"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"submitForm"; content:"cSubmitAs:'XML'"; distance:1; fast_pattern; content:"oXML:XMLData"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16031; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48942; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat PDF calculate tag use-after-free attempt"; flow:to_server,established; file_data; content:"<field"; content:"<calculate"; within:250; content:"<script"; within:100; content:"/*"; within:250; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-19713; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48974; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat PDF calculate tag use-after-free attempt"; flow:to_client,established; file_data; content:"<field"; content:"<calculate"; within:250; content:"<script"; within:100; content:"/*"; within:250; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-19713; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:48973; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader PPKLite security handler memory corruption vulnerability attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 3E 0A 3E 3E 0A|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-16042; reference:url,helpx.adobe.com/security/products/reader/apsb18-41.html; classtype:attempted-user; sid:48968; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader PPKLite security handler memory corruption vulnerability attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 3E 0A 3E 3E 0A|"; fast_pattern:only; metadata:service smtp; reference:cve,2018-16042; reference:url,helpx.adobe.com/security/products/reader/apsb18-41.html; classtype:attempted-user; sid:48967; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader PPKLite security handler memory corruption vulnerability attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|2F|ByteRange"; fast_pattern:only; content:"|0A|endobj"; content:"|3E 0A|"; within:40; distance:-50; content:"|2F|ByteRange"; within:20; pcre:!"/\x2fByteRange\s*\x5b\s*\d+\s+\d+\s+\d+\s+\d+\x5d/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2018-16042; reference:url,helpx.adobe.com/security/products/reader/apsb18-41.html; classtype:attempted-user; sid:48966; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader PPKLite security handler memory corruption vulnerability attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|2F|ByteRange"; fast_pattern:only; content:"|0A|endobj"; content:"|3E 0A|"; within:40; distance:-50; content:"|2F|ByteRange"; within:20; pcre:!"/\x2fByteRange\s*\x5b\s*\d+\s+\d+\s+\d+\s+\d+\x5d/smi"; metadata:service smtp; reference:cve,2018-16042; reference:url,helpx.adobe.com/security/products/reader/apsb18-41.html; classtype:attempted-user; sid:48965; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt"; flow:to_server,established; file_data; content:"|CD F2 EB 99 7C 6D 93 26 AD 10 96 22 65 E6 BD 19 FB D9 33 C3 6F 9B 22 27 35 F8 CA 94 36 89 B6 74|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16041; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:49037; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|CD F2 EB 99 7C 6D 93 26 AD 10 96 22 65 E6 BD 19 FB D9 33 C3 6F 9B 22 27 35 F8 CA 94 36 89 B6 74|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16041; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:49036; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JavaScript out-of-bounds read"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"resolveNode"; content:"resolveNode"; within:100; content:"try"; content:"nodes.insert"; within:50; content:"catch"; within:25; content:"remerge()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-16047; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:49082; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JavaScript out-of-bounds read"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"resolveNode"; content:"resolveNode"; within:100; content:"try"; content:"nodes.insert"; within:50; content:"catch"; within:25; content:"remerge()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-16047; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-41.html; classtype:attempted-user; sid:49081; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"xml"; content:"stylesheet"; within:100; content:"href"; within:100; content:"|5C 5C|"; within:100; metadata:service smtp; reference:cve,2019-7089; reference:cve,2019-7815; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-13.html; classtype:attempted-user; sid:49179; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"xml"; content:"stylesheet"; within:100; content:"href"; within:100; content:"|5C 5C|"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2019-7089; reference:cve,2019-7815; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-13.html; classtype:attempted-user; sid:49178; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader Javascript out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|F4 06 D8 81 76 44 48 A7 76 CA DD 26 54 69 E5 94 28 D5 2F A0 33 70 88 24 1B 65 1C 91 B5 76 E8 79 75 6B 30 A9 30 A6 54 52 38 9C 0F 6F A3 1F 62 27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7022; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49204; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader Javascript out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|F4 06 D8 81 76 44 48 A7 76 CA DD 26 54 69 E5 94 28 D5 2F A0 33 70 88 24 1B 65 1C 91 B5 76 E8 79 75 6B 30 A9 30 A6 54 52 38 9C 0F 6F A3 1F 62 27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7022; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49203; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader JavaScript memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|56 37 26 A3 6B B6 A2 04 8C 6A 72 6D CA 8C 7E BF FD 9C 7C A4 57 22 ED 72 7B 89 2F 41 B0 69 C3 57 46 37 DE DB 4B CE 4D CB 64 DE DC 01 53 4D CD 31 C1 A9 20 F8 A4 1E 6A 5B 49 0F 43 C9 13 7C B7 DB B1 AE 90|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7018; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49202; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader JavaScript memory corruption attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|56 37 26 A3 6B B6 A2 04 8C 6A 72 6D CA 8C 7E BF FD 9C 7C A4 57 22 ED 72 7B 89 2F 41 B0 69 C3 57 46 37 DE DB 4B CE 4D CB 64 DE DC 01 53 4D CD 31 C1 A9 20 F8 A4 1E 6A 5B 49 0F 43 C9 13 7C B7 DB B1 AE 90|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7018; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49201; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat JavaScript defineProperty memory corruption attempt"; flow:to_client,established; file_data; content:"Object.defineProperty(this,'filesize',{value:0x41414141,writable:false})"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-19725; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49197; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat JavaScript defineProperty memory corruption attempt"; flow:to_server,established; file_data; content:"Object.defineProperty(this,'filesize',{value:0x41414141,writable:false})"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-19725; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49196; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt"; flow:to_server,established; file_data; content:"|8D 76 5A 56 FA 37 D0 05 78 60 52 AD B6 8E A8 C6 38 AC BC DD 5B DC 54 5A 5B 69 25 1D CE 87 F7 C9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7021; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49193; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt"; flow:to_client,established; file_data; content:"|8D 76 5A 56 FA 37 D0 05 78 60 52 AD B6 8E A8 C6 38 AC BC DD 5B DC 54 5A 5B 69 25 1D CE 87 F7 C9|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7021; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49192; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF JavaScript XFA engine use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<event"; nocase; content:"<script"; distance:0; nocase; content:"xfa.form"; fast_pattern; content:"usehref"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7018; reference:cve,2019-7022; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49236; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF JavaScript XFA engine use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<event"; nocase; content:"<script"; distance:0; nocase; content:"xfa.form"; fast_pattern; content:"usehref"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7018; reference:cve,2019-7022; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49235; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader Javascript untrusted pointer dereference attempt detected"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"xfa.resolveNode"; fast_pattern; content:"xfa"; within:16; distance:2; content:"applyXSL"; content:"<data>"; isdataat:91; content:!"<xfa>"; within:75; content:"<startNode>"; within:36; content:"xfasom"; within:36; content:"</data>"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7054; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49234; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader Javascript untrusted pointer dereference attempt detected"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"xfa.resolveNode"; fast_pattern; content:"xfa"; within:16; distance:2; content:"applyXSL"; content:"<data>"; isdataat:91; content:!"<xfa>"; within:75; content:"<startNode>"; within:36; content:"xfasom"; within:36; content:"</data>"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7054; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49233; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader Javascript out-of-bounds write attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"xfa.resolveNode"; fast_pattern; content:"xfa.resolveNode"; content:"setElement"; content:"<draw"; content:!"<caption"; within:25; distance:1; content:!"<value"; within:31; distance:19; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7060; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-7060; classtype:attempted-user; sid:49230; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader Javascript out-of-bounds write attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"xfa.resolveNode"; fast_pattern; content:"xfa.resolveNode"; content:"setElement"; content:"<draw"; content:!"<caption"; within:25; distance:1; content:!"<value"; within:31; distance:19; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7060; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-7060; classtype:attempted-user; sid:49229; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat JavaScript engine use after free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"xfa.resolveNode"; fast_pattern; content:".lineThrough|3B|"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7082; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49228; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat JavaScript engine use after free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"xfa.resolveNode"; fast_pattern; content:".lineThrough|3B|"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7082; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49227; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader TIF orientation out of bounds read attempt"; flow:to_server,established; file_data; content:"|38 1B 01 00 00 64 6D C9 1B C5 6F EE 80 37 A0 85 D7 7A 76 7E 01 00 52 37 18 00 11 D1 5F E8 39 8D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7036; reference:url,helpx.adobe.com/security/products/acrobat/APSB19-07.html; classtype:attempted-user; sid:49226; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader TIF orientation out of bounds read attempt"; flow:to_client,established; file_data; content:"|38 1B 01 00 00 64 6D C9 1B C5 6F EE 80 37 A0 85 D7 7A 76 7E 01 00 52 37 18 00 11 D1 5F E8 39 8D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7036; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49225; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat JavaScript engine out-of-bounds read attempt"; flow:to_client,established; file_data; content:"/JS(xfa.resolveNode(|22|config.present.script|22|))>>>>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7053; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49214; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat JavaScript engine out-of-bounds read attempt"; flow:to_server,established; file_data; content:"/JS(xfa.resolveNode(|22|config.present.script|22|))>>>>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7053; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49213; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat JavaScript engine use after free attempt"; flow:to_client,established; file_data; content:"u8=new Uint8Array(0x10000)|3B|}catch(e){}|0A| try{u8[0xffff]"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7029; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49212; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat JavaScript engine use after free attempt"; flow:to_server,established; file_data; content:"u8=new Uint8Array(0x10000)|3B|}catch(e){}|0A| try{u8[0xffff]"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7029; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49211; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Pro out of bounds write attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.activeDocs[0].getField('txt1')['"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7039; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49251; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Pro out of bounds write attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.activeDocs[0].getField('txt1')['"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7039; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49250; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat use after free attempt"; flow:to_server,established; file_data; content:"xfa.resolveNode(|22|xfa[0].template[0].q[0]|22|)"; fast_pattern:only; content:"xfa.resolveNode(|22|xfa[0].form[0].b[0]|22|)"; content:"xfa.resolveNode(|22|xfa[0].form[0]|22|)"; within:60; content:"a.execInitialize()"; within:65; distance:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7026; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49284; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat use after free attempt"; flow:to_client,established; file_data; content:"xfa.resolveNode(|22|xfa[0].template[0].q[0]|22|)"; fast_pattern:only; content:"xfa.resolveNode(|22|xfa[0].form[0].b[0]|22|)"; content:"xfa.resolveNode(|22|xfa[0].form[0]|22|)"; within:60; content:"a.execInitialize()"; within:65; distance:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7026; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49283; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader out of bounds read attempt"; flow:to_server,established; file_data; content:"|FD E1 96 D6 8E B8 E7 13 0D 88 40 F8 86 07 2C 92 8F 94 F9 84 79 A9 D6 D6 44 BA 2C 2B 3B FE 29 34|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7063; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49279; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader out of bounds read attempt"; flow:to_client,established; file_data; content:"|FD E1 96 D6 8E B8 E7 13 0D 88 40 F8 86 07 2C 92 8F 94 F9 84 79 A9 D6 D6 44 BA 2C 2B 3B FE 29 34|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7063; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49278; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"|2F 4A 61 76 61 53 63 72 69 70 74 0A 20 20 20 20 2F 4A 53 28 0A 76 61 72 20 6F 20 3D 20 41 44 42 43 3B 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7067; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-7067; classtype:attempted-user; sid:49277; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|2F 4A 61 76 61 53 63 72 69 70 74 0A 20 20 20 20 2F 4A 53 28 0A 76 61 72 20 6F 20 3D 20 41 44 42 43 3B 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7067; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-7067; classtype:attempted-user; sid:49276; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat untrusted pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"xfa.resolveNode(|22|config.present.pdf.encryption.permissions.printHighQuality|22|)"; fast_pattern:only; content:"xfa.resolveNode(|22|template.p.a.border.corner.color|22|)"; content:"o.__defineSetter__(|27|name|27|,function()"; within:90; distance:130; content:"xfa.form.__defineSetter__(|27|name|27|,function()"; within:90; distance:30; content:"xfa.host.resetData(|27|xfa.template[0].p.exclGroup0.field0.desc|27|)"; within:110; distance:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7051; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-7051; classtype:attempted-user; sid:49275; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat untrusted pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"xfa.resolveNode(|22|config.present.pdf.encryption.permissions.printHighQuality|22|)"; fast_pattern:only; content:"xfa.resolveNode(|22|template.p.a.border.corner.color|22|)"; content:"o.__defineSetter__(|27|name|27|,function()"; within:90; distance:130; content:"xfa.form.__defineSetter__(|27|name|27|,function()"; within:90; distance:30; content:"xfa.host.resetData(|27|xfa.template[0].p.exclGroup0.field0.desc|27|)"; within:110; distance:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7051; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-7051; classtype:attempted-user; sid:49274; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Reader XFA engine untrusted pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<subform"; nocase; content:"<script"; content:"xfa.form.nodes"; within:80; distance:10; content:"xfa.template.setAttribute"; fast_pattern:only; content:"xfa.layout.relayout"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7066; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49273; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Reader XFA engine untrusted pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<subform"; nocase; content:"<script"; content:"xfa.form.nodes"; within:80; distance:10; content:"xfa.template.setAttribute"; fast_pattern:only; content:"xfa.layout.relayout"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7066; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49272; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader use after free attempt"; flow:to_server,established; file_data; content:"app.execMenuItem('Close')|3B 0A|try{ p.remerge()|3B| } catch(e){ app.alert(e)|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7068; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49267; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader use after free attempt"; flow:to_client,established; file_data; content:"app.execMenuItem('Close')|3B 0A|try{ p.remerge()|3B| } catch(e){ app.alert(e)|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7068; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49266; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat malformed PDF file stack overflow attempt"; flow:to_server,established; file_data; content:"|83 EA A1 C5 9E EF F0 DF 58 3F 3B F9 03 EF BC 60 3E 1F 63 B0 E0 B0 AB AC 99 A5 02 A7 DF D2 08 CA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7020; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49265; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat malformed PDF file stack overflow attempt"; flow:to_client,established; file_data; content:"|83 EA A1 C5 9E EF F0 DF 58 3F 3B F9 03 EF BC 60 3E 1F 63 B0 E0 B0 AB AC 99 A5 02 A7 DF D2 08 CA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7020; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49264; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat malformed embedded idx file out of bounds read attempt"; flow:to_server,established; file_data; content:"|6C 00 69 00 74 00 79 14 CA 88 F4 18 34 8E 76 2D 71 55 55 55 51 4D 8E 63 78 C1 A7 C0 FF FF FF 76|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7045; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49263; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat malformed embedded idx file out of bounds read attempt"; flow:to_client,established; file_data; content:"|6C 00 69 00 74 00 79 14 CA 88 F4 18 34 8E 76 2D 71 55 55 55 51 4D 8E 63 78 C1 A7 C0 FF FF FF 76|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7045; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49262; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat out of bounds read attempt"; flow:to_server,established; file_data; content:"|2F 4A 61 76 61 53 63 72 69 70 74 0A 3E 3E 20 2F 4E 65 65 64 73 52 65 6E 64 65 72 69 6E 67 20 74 72 75 65 20 2F 45 78 74 65 6E 73 69 6F 6E 73 20 3C 3C 2F 41 44 42 45 20 3C 3C 2F 45|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7024; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49261; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat out of bounds read attempt"; flow:to_client,established; file_data; content:"|2F 4A 61 76 61 53 63 72 69 70 74 0A 3E 3E 20 2F 4E 65 65 64 73 52 65 6E 64 65 72 69 6E 67 20 74 72 75 65 20 2F 45 78 74 65 6E 73 69 6F 6E 73 20 3C 3C 2F 41 44 42 45 20 3C 3C 2F 45|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7024; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49260; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"xfa.datasets.loadXML(xfa.datasets.saveXML()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7056; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49318; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"xfa.datasets.loadXML(xfa.datasets.saveXML()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7056; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49317; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat out of bounds read attempt"; flow:to_server,established; file_data; content:"|78 2E 72 65 73 6F 6C 76 65 4E 6F 64 65 73 28 27 63 6F 6E 66 69 67 2E 70 72 65 73 65 6E 74 2E 70 64 66 27 29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7058; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49316; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat out of bounds read attempt"; flow:to_client,established; file_data; content:"|78 2E 72 65 73 6F 6C 76 65 4E 6F 64 65 73 28 27 63 6F 6E 66 69 67 2E 70 72 65 73 65 6E 74 2E 70 64 66 27 29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7058; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49315; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat XFA JavaScript manipulation out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"app.execMenuItem(|27|Close|27|)"; fast_pattern:only; content:"xfa.datasets.aliasNode"; content:"xfa.form"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7065; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49314; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat XFA JavaScript manipulation out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.execMenuItem(|27|Close|27|)"; fast_pattern:only; content:"xfa.datasets.aliasNode"; content:"xfa.form"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7065; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49313; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat malformed PDF objects use after free attempt"; flow:to_server,established; file_data; content:"|20 6F 62 6A 20 28 C6 D1 4A 34 94 AC 36 F9 A8 88 7C D3 EA 9C 01 FF 29 0A 65 6E 64 6F 62 6A 20 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7044; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49310; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat malformed PDF objects use after free attempt"; flow:to_client,established; file_data; content:"|20 6F 62 6A 20 28 C6 D1 4A 34 94 AC 36 F9 A8 88 7C D3 EA 9C 01 FF 29 0A 65 6E 64 6F 62 6A 20 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7044; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49309; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat malformed PDF out of bounds read attempt"; flow:to_server,established; file_data; content:"|78 9C 01 B7 01 48 FE 78 9C 9D 54 4D 4F C3 30 0C BD EF 57 84 1C 91 1A 6F 20 04 9A DA 4E 1C 00 21|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7064; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49308; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat malformed PDF out of bounds read attempt"; flow:to_client,established; file_data; content:"|78 9C 01 B7 01 48 FE 78 9C 9D 54 4D 4F C3 30 0C BD EF 57 84 1C 91 1A 6F 20 04 9A DA 4E 1C 00 21|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7064; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49307; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader PostScript file out of bounds read attempt"; flow:to_server,established; file_data; content:"2b20000051700870517008f05aaaaaaa"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7074; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49306; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader PostScript file out of bounds read attempt"; flow:to_client,established; file_data; content:"2b20000051700870517008f05aaaaaaa"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7074; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49305; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat out of bounds read attempt"; flow:to_server,established; file_data; content:"|00 00 05 00 42 6F 78 30 31 01 00 00 00 0F 00 00 00 01 00 00 00 01 00 00 00 0C 00 4D 6F 64 65 6C 53 68 61 64 65 72 31 00 00 00 14 FF FF FF 84 00 00 00 00 00 00 00 06 00 4F 6D 6E 69|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7035; reference:cve,2019-7038; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49295; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat out of bounds read attempt"; flow:to_client,established; file_data; content:"|00 00 05 00 42 6F 78 30 31 01 00 00 00 0F 00 00 00 01 00 00 00 01 00 00 00 0C 00 4D 6F 64 65 6C 53 68 61 64 65 72 31 00 00 00 14 FF FF FF 84 00 00 00 00 00 00 00 06 00 4F 6D 6E 69|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7035; reference:cve,2019-7038; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49294; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Pro saveFilteredXML out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"saveFilteredXML"; fast_pattern:only; content:"resolveNode"; content:"loadXML"; content:"__defineSetter__"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7057; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49505; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Pro saveFilteredXML out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"saveFilteredXML"; fast_pattern:only; content:"resolveNode"; content:"loadXML"; content:"__defineSetter__"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7057; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49504; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Cool PDF Reader buffer overflow attempt"; flow:to_server,established; file_data; content:"|73 E1 71 F9 AE 65 2A B1 A7 4A 78 C7 79 C5 5F 0D 42 9A 49 69 AF 3C E9 56 D3 CF 4B 2D 15 DE FF 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-4914; classtype:attempted-user; sid:49565; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Cool PDF Reader buffer overflow attempt"; flow:to_client,established; file_data; content:"|73 E1 71 F9 AE 65 2A B1 A7 4A 78 C7 79 C5 5F 0D 42 9A 49 69 AF 3C E9 56 D3 CF 4B 2D 15 DE FF 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4914; classtype:attempted-user; sid:49564; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Cool PDF Reader buffer overflow attempt"; flow:to_server,established; file_data; content:"|B7 36 37 D6 D7 16 57 B6 52 B4 17 16 F3 C6 63 96 09 14 95 64 75 38 2A C0 82 08 23 20 8A F4 7F DB|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-4914; classtype:attempted-user; sid:49563; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Cool PDF Reader buffer overflow attempt"; flow:to_client,established; file_data; content:"|B7 36 37 D6 D7 16 57 B6 52 B4 17 16 F3 C6 63 96 09 14 95 64 75 38 2A C0 82 08 23 20 8A F4 7F DB|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4914; classtype:attempted-user; sid:49562; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Cool PDF Reader buffer overflow attempt"; flow:to_server,established; file_data; content:"|00 3F 00 CB A2 8A 2B F1 73 F8 0C 28 A2 8A 00 28 A2 8A 00 28 A2 8A 00 28 A2 8A 00 28 A2 8A 00 28 A2|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-4914; classtype:attempted-user; sid:49561; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Cool PDF Reader buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 3F 00 CB A2 8A 2B F1 73 F8 0C 28 A2 8A 00 28 A2 8A 00 28 A2 8A 00 28 A2 8A 00 28 A2 8A 00 28 A2|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4914; classtype:attempted-user; sid:49560; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Cool PDF Reader buffer overflow attempt"; flow:to_server,established; file_data; content:"|12 1E 12 49 7C 7E 29 61 E1 AE 2A 45 3F 02 55 E7 3A 3A 1F 9B 7D 5A 95 37 0A B3 5D 18 6D 44 AD 53|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-4914; classtype:attempted-user; sid:49559; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Cool PDF Reader buffer overflow attempt"; flow:to_client,established; file_data; content:"|12 1E 12 49 7C 7E 29 61 E1 AE 2A 45 3F 02 55 E7 3A 3A 1F 9B 7D 5A 95 37 0A B3 5D 18 6D 44 AD 53|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4914; classtype:attempted-user; sid:49558; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt detected"; flow:to_client,established; file_data; content:"|65 5C 30 37 35 61 5C 30 35 36 6D 70 34 5C 30 34 36 73 6B 69 6E 5C 30 37 35 53 6B 69 6E 4F 76 65 72 41 6C 6C 4E 6F 46 75 6C 6C 4E 6F 43 61 70 74 69 6F 6E 5C 30 35 36 73 77 66 5C 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7076; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49600; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt detected"; flow:to_server,established; file_data; content:"|65 5C 30 37 35 61 5C 30 35 36 6D 70 34 5C 30 34 36 73 6B 69 6E 5C 30 37 35 53 6B 69 6E 4F 76 65 72 41 6C 6C 4E 6F 46 75 6C 6C 4E 6F 43 61 70 74 69 6F 6E 5C 30 35 36 73 77 66 5C 30|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7076; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49599; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat PDF printWithParams use-after-free attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"printWithParams"; content:"listMenuItems"; within:200; distance:-100; content:"oChildren"; within:200; distance:-100; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7062; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49651; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat PDF printWithParams use-after-free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"printWithParams"; content:"listMenuItems"; within:200; distance:-100; content:"oChildren"; within:200; distance:-100; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7062; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49650; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat PDF use-after-free attempt"; flow:to_server,established; file_data; content:"m(|27|Web2PDF:OpenURL|27|)|3B| } catch(excep){}|0A|try{ v16."; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7050; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49641; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat PDF use-after-free attempt"; flow:to_client,established; file_data; content:"m(|27|Web2PDF:OpenURL|27|)|3B| } catch(excep){}|0A|try{ v16."; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7050; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49640; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<font"; content:"size"; within:100; content:"kerningMode"; within:200; distance:-100; content:"fontVerticalScale"; within:200; distance:-100; pcre:"/<font[^>]+size[\s]*=[\s]*[\x22\x27]-[\d]+pt[\x22\x27]/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7023; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49661; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/XFA"; fast_pattern:only; content:"<font"; content:"size"; within:100; content:"kerningMode"; within:200; distance:-100; content:"fontVerticalScale"; within:200; distance:-100; pcre:"/<font[^>]+size[\s]*=[\s]*[\x22\x27]-[\d]+pt[\x22\x27]/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7023; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49660; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt"; flow:to_server,established; file_data; content:"|76 97 7E 7D 47 92 93 D8 5E 7B 09 31 08 3C F3 9E 46 33 A3 A7 11 57 47 DD 91 3D 38 AF AC D9 D1 2D DB 50 02 A6 B2 B5 32 ED 8E FE FE F5 AD F8 4C AF 4A 71 AC FB 4B 5C 04 C9 C6 C7 BF 1D BD 0B A1 BF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-7023; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49659; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt"; flow:to_client,established; file_data; content:"|76 97 7E 7D 47 92 93 D8 5E 7B 09 31 08 3C F3 9E 46 33 A3 A7 11 57 47 DD 91 3D 38 AF AC D9 D1 2D DB 50 02 A6 B2 B5 32 ED 8E FE FE F5 AD F8 4C AF 4A 71 AC FB 4B 5C 04 C9 C6 C7 BF 1D BD 0B A1 BF|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-7023; reference:url,helpx.adobe.com/security/products/acrobat/apsb19-07.html; classtype:attempted-user; sid:49658; rev:1;)